In the first quarter of 2022, my personal life converged with my professional life on the subject of health data use and privacy. My new role at a healthcare IT company required research and a better understanding of the pressures and pulls between privacy and interoperability, between what is legal and what is ethical, as well as considering the costs of protecting patient privacy as from both the HIT provider and the physician perspective. At the same time, I was offered the opportunity to participate in a clinical trial as a patient, which allowed me to experience the use of my own health data and conversations about privacy. Below are four highlights about data use and privacy that I found impactful.
How does data protection translate into real-world patient experience?
I was nearing the end of my visit with a team of subspecialists, all of whom were new to me, when the attending physician asked me to participate in a clinical trial he was currently conducting. The perfect time to apply what I’ve learned about using data properly! I already understand that at a high level, the protection of health data is provided by the Health Insurance Portability and Accountability Act (HIPAA) as well as by the US Department of Health and Human Services General Rule (45 C.F.R.) and Substance Use Privacy (42 CFR) hold organizations and individuals in the healthcare ecosystem accountable for the privacy and security of patient data, particularly data that can identify a specific patient.
I also understand that while these protections may appear extensive, they may lead to an overestimation of the expected level of privacy, given that some sources of health data, types of data, and the businesses involved are not required to comply with the regulations . With this in mind, I was pleased to hear the attending physician go to great lengths to explain the purpose of the study, how my data would and would not be used and shared, and who would potentially benefit. Living in my health IT world, I interpreted this to apply primarily to the data relating to me in the EHR, but through the discussion with the doctor I learned how the privacy and security of my images and lab samples would also be protected.
What data is not protected?
I was impressed with the research team’s consent process, and after a flurry of paperwork signings, I was enrolled in the clinical trial! Although I felt comfortable sharing my health information and participating in the clinical trial after the thorough consent process I experienced, I was curious to explore the other side of the equation to learn more about what data was not protected or protected well.
I learned that examples of data that is not protected are data from health apps and purchase history. In these cases, the user’s consent to share data may or may not be solicited, readily apparent or understandable. De-identified data, meaning data that cannot be linked to an individual patient, is also not protected and can be sold and used without consent if appropriate business agreements are in place. Enlarging the requirements around data de-identification, whether through Safe Harbor or third-party certification, has put my mind at ease from both a patient and healthcare IT perspective.
What data sharing protections exist today?
Seemingly at odds with the need to protect patient privacy are the new requirements under the 21st Century Cures Act to share identifiable patient data for treatment, payment and healthcare operations and to prevent information blocking. Protections exist for data sharing between organizations in the form of data use agreements. For patients, data sharing is an all-or-nothing proposition where they choose to opt-in or opt-out of having their data shared based on government regulations.
Interestingly, in my health IT world, there is a big focus on having appropriate data agreements in place, understanding data privacy and security regulations, and properly de-identifying data. This is in direct contrast to my usual experience as a patient, where I sign a form once a year providing consent for my data to be shared when I register for my annual wellness visit. This again contrasts with my experience in clinical trials, which aligned more with my health IT world. In fact, the research assistant not only managed all the consents and communication, but also accompanied me to my appointments and lab reviews to make sure my samples were being processed correctly and that I would not be charged for the testing.
What’s on the horizon for sensitive data management?
The idea that a patient should have the ability to flag data they consider sensitive and do not want to share is gaining momentum. The benefits of this include patient control over their data, defining what they consider sensitive in the context of their lives, and greater trust in data sharing. Disadvantages include the complexity and cost of building and managing data tagging. For me, this is on my watch list to learn more about how this will work for patients and whether we will see increased data sharing as a result.
As a physician working in health IT, I know that access to patient data from the patient and from other points of care is of tremendous value in clinical decision making and directly affects patients. I also understand that sharing data makes medical research possible, which may include volunteering for clinical trials like mine, where patients can help improve the diagnosis and treatment of others like themselves. As a patient, I value healthcare organizations and companies that treat my health data with respect and consider improvements in data privacy and security.
Photo: JuSun, Getty Images