State and federal regulations, health information breaches, create a minefield of issues
The use of big data continues to be explored with enthusiasm across all facets of the healthcare ecosystem, with much of the discussion surrounding new technologies and their potential impact on healthcare stakeholders’ bottom lines. However, with several high-profile data system breach reports, as well as a recent Supreme Court decision highlighting the complexity surrounding the management of health information, understanding the legal and compliance considerations in the current environment is imperative.
Kim“Big data” is a term used to describe large volumes of information, whether structured or unstructured, generated on an everyday basis. It is not the amount of data that is significant, however; rather, it is what healthcare entities (managed care plans, providers, government agencies, etc.) decide to do with it. Big data can be mined for insights that lead to informed decision-making, leading to cost savings and better outcomes, whether the metric is performance-based or financial.
The amount of information being generated is substantial, yet the full potential of such data remains untapped. Current trends regarding the use of such data include evidence-based decision-making, a move toward outcome-based reimbursement, and the use of predictive analytics.
However, in the midst of the big data storm, legal experts continue to debate how data should be collected and used. For example, Gobeille vs. Liberty Mutual Insurance Company, just decided by the Supreme Court, answered the question of whether the Employee Retirement Income Security Act (ERISA) preempts Vermont's healthcare database law as applied to the third-party administrator (TPA) for a self-funded ERISA plan (the short answer: it does).
While the decision ultimately was about the scope of ERISA preemption, of greater interest is its impact on the management of big data sources maintained by health plans. The case also brought to light increasingly complex questions regarding the interplay of federal and state laws regarding the control of health information. Of note, Justice Breyer suggested that the Departments of Labor or Health and Human Services be the ones to develop uniform rules to procure data in a simpler way.
Nuances in other issues of data ownership and analytic use are highlighted when healthcare entities further consider similar circumstances; “ownership” analysis differs significantly for insurers dealing with member data versus insurers dealing with data they receive as TPAs.
Adding yet another layer of complexity is the potential for misuse, as evidenced by the fact that three of the largest historical healthcare data breaches were reported in 2015.
The amount of data being collected and maintained by healthcare organizations will continue to grow, as will the number of individuals seeking to gain access to the same increasingly valuable information.
The value of big data in healthcare is becoming even more apparent as numerous sophisticated analytical tools are developed. However, it is important to keep tabs on the legal and compliance conversation that surrounds the use of such data. While still in flux, privacy and security concerns (counterbalanced against the transparency and collaboration interests of all parties) will continue to be crucial to understand and overcome.
Basil H. Kim is an associate in the Health Care and Life Sciences practice, in the New York office of Epstein Becker Green. He concentrates on the areas of managed care, healthcare law, and transactional/regulatory matters.