Be aware of data mining risks

August 4, 2014

When aggregating analytics, compliance considerations must be taken into account

Use of data analytics holds great promise to inform stakeholders of the quality and cost of a patient’s treatment. As a result, healthcare organizations and vendors are rapidly implementing data analytics engines to reduce cost of care and improve patient outcomes. However, legalities could significantly impede expanded implementation of population health measures. 

SolanderStakeholders must develop mechanisms for obtaining appropriate data rights and safeguard all sensitive information received. Legal issues surrounding de-identification, aggregation and security of stored data must be addressed when pursuing these population health tools.

Under the Health Insurance Portability and Accountability Act (HIPAA), de-identified data is no longer considered protected health information and may be used for purposes of statistics-based research. However, the act of data de-identification is considered a “use” of protected health information, which must be accounted for in business associate agreements if a vendor performs the de-identification.  Entities should ensure the business associate protections are in place prior to providing data to a vendor to de-identify.

Additionally, there are  specific circumstances under which data aggregation may be performed on identifiable health information. For example, researchers may receive data subject to a business associate agreement if the research is part of healthcare operations, defined broadly to include “population-based activities relating to or improving health or reducing healthcare costs.” Therefore, entities must be authorized explicitly to do so under the agreement. Integrating all of the separate data streams in a HIPAA-compliant way is crucial to these efforts.

 

Evolution of data acquisition 

Data acquisition mothods are quickly changing, so are the legal issues associated with its collection, storage and use.  In the past, data collection involved obtaining information directly from patients after receiving consent. 

NaglerWith the shift to electronic medical records (EMR) and the proliferation of online data repositories such as social media, additional data are accessible for study. Some data are taken from sources outside the perimeters of HIPAA. With these types of data, stakeholders must understand the limitations on collection and use, and whether consent is required. Several states have passed online privacy laws limiting the ability of website operators to disclose certain identifiable information and generally requiring adherence to a privacy policy.

As data analytics become more robust and rich, vulnerability to hackers may increase. Stakeholders must take precautions to ensure the security of information, even if the data obtained are not subject to HIPAA. 

Federal Trade Commission regulations have placed an affirmative duty on personal health record vendors to notify individuals in the event of a breach.  Furthermore, state privacy and security laws often contain stringent definitions of protected information that can bring non-HIPAA entities under their jurisdiction. Healthcare entities should consider putting in place business associate agreements with vendors to ensure confidentiality of the information shared.

The ascendancy of data analytics is promising but includes important compliance considerations. Ensuring that information is de-identified and aggregated in compliance with HIPAA is critical to avoiding inadvertent disclosures of protected information. 

Adam Solander and Evan Nagler are associates in Epstein Becker Green’s Health Care and Life Sciences practice.