By David Hoffman, Associate General Counsel and Global Privacy Officer
Technological advancements in health IT have created tremendous possibility for improved efficiency and better interoperability, empowering patients to play a more dynamic role in their healthcare. Increased access to data that can predict health outcomes, and more effective analytical capabilities including artificial intelligence, create tremendous potential to solve some of society’s most vexing health problems. However, this same access to data and increased analytical ability demonstrate the need for robust privacy and security controls. Gaining the value of these technology advances, while still protecting privacy/security is a challenge that needs increased attention.
For that reason, the Future of Privacy Forum’s health data policy expert Carson Martinez and several partners worked with the Triangle Privacy Research Hub to organize a recent two-day symposium focused on Refining Privacy to Improve Health Outcomes. The assembled experts tackled key issues in the health IT space, like the secondary use of health data, big data and drug development, and standardization and interoperability. I opened the symposium with a talk focused on how the future of technology will allow artificial intelligence to make use of data to help solve significant societal issues, including providing for better clinical healthcare and health research.
I encourage everyone to view the video from the event. There are many policy recommendations worthy of further study and action, and Intel is working to support those efforts. Some of those recommendations include:
- Encourage better interoperability between patient Electronic Health Records (EHRs). Centers for Medicare and Medicaid Services Administrator, Seema Verma, recently announced several new initiatives for allowing patients to control their own healthcare data. One component of those initiatives is the desire to promote interoperability between health care record systems. The symposium offered specific recommendations to focus that work. Transitioning between the care of different health care providers and searching for clinical trials in which to participate should be more effective. The current system makes the transfer or sharing of EHRs and other pertinent health and patient data difficult. Each health system and provider has its own system of logging and maintaining EHRs, which creates complications when patients want their records used for research purposes or need to transfer their records, especially for an urgent health matter. The current model is not conducive to obtaining important health data quickly: it does not properly encourage the aggregation of data for more effective creation of artificial intelligence tools to aid the efficiency of care and promote more effective health research. Three recommendations from the symposium to help solve this problem were:
- The government should pursue incentives for EHR systems, and the implementations by different providers and payers, to allow for access to a more diverse and greater volume of data.
- Increasingly, data does not need to move to allow for this interoperability. The use of encryption can allow artificial intelligence tools to analyze data in a federated network of encrypted databases.
- Alice Borrelli, former Global Director of Health Policy at Intel, recommended that the government should use its convening power to bring together the different EHR vendors to encourage the creation of a centralized patient access portal.
- Provide Better Guidance for Institutional Review Boards (IRBs). The value of traditional health data decreases as the quality of non-traditional health data increases. In our increasingly digital world, apps and devices like Fitbits are constantly collecting valuable logs of health data from millions of people. Rather than going to the doctor to determine information about your heart rate and blood pressure, an app can measure this information on an ongoing basis, often providing increasingly accurate and granular datasets. Consumer-facing companies are producing healthcare data equivalent to that of medical practitioners but there are historical and practical barriers for researchers to maximize the impact from this data. Kathryn Marchesini, the recently announced Chief Privacy Officer at the Office of the National Coordinator for Health Information Technology, described how HIPAA does allow for the aggregation of traditional and non-traditional data for research purposes. However, many IRBs default to requiring patient consent, due to a lack of comfort with risk-based reviews to determine whether the clinical care data can be combined with this non-traditional data and then used for healthcare research. The federal government could provide more guidance and tools to IRBs to simplify the process for gaining access, so they do not default to requiring patient consent.
- Encourage Implementation of NISTs Cyber Security Framework by Health Care Providers. Information security is often cited as a reason to not allow access to health data. Entities that store health care data need more detailed guidance on how they can allow for use of the data by artificial intelligence tools, while still providing robust security. The NIST Framework provides a method to better encourage the right analysis. Many sectors of the economy have implemented NIST’s voluntary risk management structure. It has been referred to as the “Rosetta Stone of information security,” and creates a structure to assess risk to better understand how to Identify, Protect, Detect, Respond and Recover. The Framework provides the ability for individual sectors to create their own profiles on how to best manage cybersecurity risk in that particular industry. The health sector was one of the last targeted industries to create a profile, and Health and Human Services has now collaborated with the Department of Homeland Security to create an implementation guide. The guide will help health care organizations prioritize what focus areas will best protect data, while still allowing for the innovative use of data. Government should now look to create incentives to encourage individual healthcare companies to use the guidance, profile, and underlying Framework to understand how best to improve data security while also promoting effective use of that data. Ari Schwartz, the Executive Director of the Center for Cybersecurity Policy and Law, recommended that the government could focus on encouraging health care data management companies to use their vendor contracts as a mechanism to promote use of the Framework.
- Modify Payment Structures to Optimize for Investment in Health Data Availability. Historically, economic incentives encouraged health care providers to minimize access to the data from the clinical care of their patients. This focus on minimizing access also reduces the extent to which the data can be effectively used by artificial intelligence tools. More analysis is necessary on how individual doctors can be paid to architect their systems to allow for the federated access to data for better patient care and research. Duke University School of Law Professor Barak Richman further recommended that government should take an active role in redesigning how government payments are restructured to modify the current payment model beyond just payment for individualized patient care, and instead should encourage greater investment in the innovative use of data.
As the health IT space continues to evolve, these types of policy considerations are needed to enable the benefits using artificial intelligence tools in the healthcare sector, while protecting consumers and their data from misuse.
Symposium participants included: representatives and executives from The Future of Privacy Forum, the Center for Democracy and Technology, the Center for Law Ethics and Applied Research in Health Information, Intel Corporation, Duke and the University of North Carolina Law Schools, QuintilesIMS and the Center for Cybersecurity Policy and Law, among others.