The healthcare industry – and that means everyone: vendors, providers, payers, policymakers, patients – finds itself at an interesting crossroads these days when it comes to data sharing.
First, there’s more imperative to share healthcare information than ever. Federal health IT policy has made wider interoperability its highest goal, and prioritized consumer-mediated exchange, via mobile devices and APIs, as one of the key means of achieving it.
On the other hand, there’s also increasing awareness and appetite on the part of consumers for more stringent privacy protections. Especially as big consumer tech companies (some of whom have gained notoriety for less than exemplary track records on the topic) continue their push into healthcare, the issue of data privacy has become all the more salient.
On Sept. 18, during a presentation at Health 2.0 in Santa Clara, California, Deven McGraw and Vince Kuraitis will discuss what they refer to as the Goldilocks Health Data Dilemma – that is, the challenge of finding a paradigm that strikes the “just right” balance between data sharing and privacy protections.
McGraw, general counsel and chief regulatory officer for consumer health tech startup Ciitizen, previously served in the federal government as deputy director of health information privacy at the HHS Office for Civil Rights and as acting chief privacy officer at ONC.
Kuraitis is a longtime health IT thought leader whose consultancy, Better Health Technologies, helps clients in the public and private sector chart strategies, create partnerships and build new business models with a focus on platforms and network effects.
At Health 2.0, they’ll explore ways the competing goals of wider data sharing and stronger privacy protections can be finessed – detailing a raft of new and proposed federal state privacy laws, discussing ethical questions around patient-generated data, exploring emerging health data business models and more.
The “Goldilocks” conundrum – which McGraw and Kuraitis have also been exploring in-depth in an ongoing series of posts at The Health Care Blog – is one that’s calling out for a solution, and soon. Healthcare IT News spoke with them recently about how they see it emerging.
‘It’s all coming to a head right now’
Of course, “the yin-yang approach to privacy and data use has been around for as long as we’ve had privacy law,” said McGraw. “But it has become more salient now, I think for a couple of reasons.”
First, consider the headlines, for instance, “around what Facebook did with Cambridge Analytica, and their response to that – as well as other alleged privacy related privacy violations,” she said. “There’s been a lot more in the news about big companies and how they do or do not protect individuals’ privacy, and yet these are companies that want to go big in the healthcare space.”
On the other hand, there’s been the big push toward interoperability, gaining momentum over the past decade. “We are going to be connecting healthcare providers much easily through APIs, and also sharing data with patients through APIs,” said McGraw. “Data is going to be more open and more liquid. And in the health data space, that is deeply concerning to a lot of people.”
Add to this another complication: a wide array of new rules and legislation here and abroad. There’s CMS and ONC’s voluminous proposed rules on interoperability, data blocking and patient access. There’s Europe’s General Data Protection Regulation, or GDPR, and the similar California Consumer Privacy Act, which is set to take effect on Jan. 1, 2020. In a blog post, McGraw and Kuraitis spotlight several other pending federal privacy bills you may not have even heard of.
“All this really is fomenting in 2019,” said Kuraitis. “It’s all coming to a head right now. The underlying dynamics have shifted significantly.”
So how will this needle be threaded? How will a balance be struck between the imperatives of data sharing and the needs of patient privacy?
“You can’t resolve this without some sort of legislative activity,” said McGraw.
Interestingly, however, that’s a prospect many tech giants may be starting to welcome.
“What’s changed here is that you now see even the large tech companies saying, ‘Give us regulations,'” said Kuraitis. “They have fears of a lack of harmonization of guidelines and regulations, at an international level with what’s going on in Europe, and they’re also fearful of 50 states adopting for 50 different sets of privacy laws, which would make their life hell.
“So whereas a couple of years ago there really wasn’t a lot of consensus that we need to do something, today there is a lot of consensus that we need to do something,” he added. “Now the issue is defining what that something is. And that’s going to happen in the next couple of years. It’s just too big an issue on the privacy side to leave it as it is.”
Congress will eventually act, said McGraw. “But I don’t think they’ll act in a timely way. They really should be having much more urgency. I think it may take a few more states enacting laws before they really can get to consensus on some of the bigger issues that are probably hanging them up.”
Moreover, she notes that while some technology companies may be saying they want clearer privacy law, “what they want is pretty weak tea. And with the Democrats controlling one of the houses, they’re not going to pass weak tea. They want something stronger. They want something that includes a private right of action, ideally, or authorities to state attorneys general to act.”
Another big issue is that the federal regulatory agencies are facing their own set of challenges.
“The FTC is overburdened,” said McGraw. “They need some boosted person power and, probably, authority to be more to be more successful at being the privacy cop on the block for the sectors that are not covered by HIPAA or the educational privacy law, FERPA, or Gramm-Leach Bliley on the financial services side. It’s an enormous sector that is uncovered.”
How does HIPAA fit in?
Speaking of HIPAA, it adds another interesting wrinkle to this whole debate. First enacted nearly a quarter-century ago, well before the digital revolution we find ourselves in today, the law has served the healthcare space relatively well from a privacy perspective – but with so much else changing, perhaps it’s due for some changes of its own?
“The EHR vendors are covered by HIPAA,” said McGraw. “They’re business associates. So they’ve been used to having regulation. And all the entities that are required to comply with HIPAA frankly want the parties who they might be competing with in other marketplaces to be covered by HIPAA, or something equally as strong.”
Or else, she said, they want to be exempted from any new potential privacy rules.
“There are some proponents of new legislation but only (to correct) the imbalance that exists in the market today,” she explained. “They’ve got HIPAA, they know how to comply with HIPAA, the HIPAA entities want to be carved out of anything new.
“There are a lot of folks calling for a revision of HIPAA, and many other people saying we have to get out of the business of regulating just one sector at a time and go with more of a GDPR strategy, where the data is covered by the same set of rules regardless of who holds it,” she added.
“HIPAA does provide some protections,” said Kuraitis. “There’s also a lot of critiques around what HIPAA doesn’t do. One of the biggest examples is this issue around the identification of data, and what HIPAA requires is the de-identification. But then once data is de-identified it moves out into the wild west and it can be reused and matched with other data. And so the protections weaken quite a bit.”
Another complication is that lots of the most valuable health-related data is non-clinical social or economic information that isn’t covered by HIPAA in the first place.
“It’s becoming increasingly well understood that data outside of HIPAA has tremendous implications around understanding people’s health and healthcare,” he said. “We quoted a McKinsey statistic in one of our recent articles that said when you look at how much data is out there that’s related to your health, that’s not likely to be protected by HIPAA, they say it’s more than 2,700 times more data.
“A USC researcher even took that to another level when she said all data is health data,” he added. “You can make inferences from location data, from credit card usage, from anything that may not be traditionally looked down as health data but does have a lot of inferences that can be made about people’s health. It’s just another example where I think this issue is really quite broad. And not easily able to be put into a pigeonhole.”
These are big questions, and will take some sorting out from many different stakeholders with many different ideas about how to balance them all. But can the issue ever be solved to the satisfaction of all?
“No way,” said McGraw with a laugh. “It will not be to the satisfaction of all. It will be the Goldilocks solution that will likely leave privacy advocates saying they didn’t get enough, and business saying they’re being regulated too much. And when you see that happening, you’ve probably found the right spot.”