BOSTON – Healthcare organizations are undoubtedly moving toward using large data sets to learn more about patients and become more efficient in patient care. Many are part of health information exchanges (HIEs) or accountable care organizations (ACOs) as part of their big data efforts and predictive analytics work. But maximizing the privacy and security of these massive volumes of patient data as organizations try to extract value from it can be both challenging and convoluted.
At the Institute for Health Technology Transformation (iHT2) Health IT Summit in Boston today, an expert panel shared its big data experiences as well as how it sees the industry using the data in the future. Micky Tripathi, PhD, President and CEO of the Massachusetts eHealth Collaborative (MAeHC), spoke about how there are some gray areas in regards to consent from a state policy and payer perspective.
States such as Massachusetts, Rhode Island, New Hampshire, for example, all have their own separate state policies that vary and affect health information exchange. From a data warehousing perspective, MAeHC uses the HIEs as conduits and Tripathi said that there really are no privacy or consent issues because his organization is essentially acting as a data agent or business associate (BA) for the organization that sent them the data.
However, Tripathi mentioned that there may be some potential confusion in the future related to consent and healthcare payer claims. He’s on the Massachusetts All-Payer Claims Database (APCD) release committee, which Tripathi says was meant to provide perspective to the commissioner as they release data from the all payer claims database. APCD is attempting to write a [consent] regulation, terms under which claims data would be released to providers by organizations that want that claims data for ACO-types of organizations.
It’s a big conversation now as to whether consent is required to APCD data. You start to think “Wait a minute, they get the data directly from Blue Cross, they don’t need consent because it’s their own claims data.” But because it’s going through the state government infrastructure, the APCD, now they have to get consent to get that same data. Are they going to even pursue that? No, why would they? So you start to run into these things as we run through this thicket. It is complicated; every stone you lift up, there will be more and more issues underneath it.
Regulating security in an ACO
Chuck Podesta, SVP and CIO of Fletcher Allen Heathcare, on the other hand, raised interesting point about the interactions between large and small organizations that are part of an ACO. For example, a primary care physician (PCP) office may be using patient lists sent by a larger organization in the ACO to contact (diabetic, for example) patients. They could be telling them to come in that day because, based on the bigger organization’s analytics, if it don’t get them into the office, they could soon end up in the large organization’s emergency department.
Those lists are protected health information (PHI) and you’re going to be providing it to the PCPs and their staffs every day. That data is coming from a lot of different parts of the ACO and a lot of those parts aren’t necessarily under your umbrella, they’re not employed or owned by your system. So how much security can you force on them? You can do a lot of education, but from a tools perspective, they’re very costly. Do you go in and audit a three-person doctor’s office? That part is going to be tricky. We really haven’t figured out as part of that membership whether all members would be subject to a security audit. If you do, who pays for it? And if you find issues with technology, policies or procedures, who fixes that? And I worry about the ongoing education of the small, rural practice staff as well.
Tripathi and Podesta discussed two seperate issues that are both crucial going forward when looking at healthcare big data privacy and security. Hashing out patient consent for data that runs through an organization such as the APCD will not be an easy task and it will take time to figure out what’s best for all the stakeholders involved. And Podesta’s points are even more fundamental as more organizations connect and share data. Responsibility for privacy and patient consent is a huge consideration for ACOs as they build these enormous data sets.