Data Use and Privacy Perspective: Keeping You Safe

Summary 

Learn how to identify and develop a plan to mitigate the risks associated with the use of de-identified healthcare data.

Perspective | Tim Suther

Senior Vice President, Data Solution at Change Healthcare

Data use and privacy are priority topics for consumers, businesses, regulators, and consumer watchdog groups. While the use of deidentified healthcare data can provide compelling benefits (such as improved outcomes and reduced cost), its use does not come without some risk. It is critical to identify those risks and develop a plan to mitigate them.

Risks

To better understand and act on risk, let us first examine what the major risks are, then explore levers to mitigate them.

Privacy

Healthcare data is regulated by a complex and evolving web of federal, state, and international privacy laws.

HIPAA, HITECH, CCPA, CPRA, GLBA, GDPR, and other laws regulate the privacy of healthcare information. The enforcement of these laws can entail civil and criminal action. For example, failure to comply with HIPAA can lead to fines of up to $50,000 per violation and up to ten years in prison.1,2 As of December 2, 2020, there were 686 active HIPAA investigations (see https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf for a current list).

In addition to federal laws, states have privacy laws that add complexity. California has perhaps the most comprehensive law—the California Consumer Privacy Act. The California Attorney General can impose penalties of $2,500-$7,500 per record for violations.3 The next generation of California’s consumer privacy law, the California Privacy Rights Act, was recently approved by California voters and includes additional restrictions on the use of data, including its combination with third-party data.4 Lastly, GDPR sets the world’s privacy agenda and ultimately may have more significant implications on healthcare privacy around the globe, including in the US.5

Making matters more challenging, keeping data de-identified can be especially difficult.6 The widespread availability of demographic, credit card, and location data, even if de-identified, makes maintaining privacy compliance particularly challenging. Even when an expert determination has been made that healthcare data has been thoroughly de-identified, comingling or collocating that data with other consumer attributes may introduce the risk of re-identification.7 A proper expert determination should incorporate all data and be continuously monitored.

Security

Healthcare data is often designated as sensitive data subject to more stringent protections than other personally identifiable information.

Data breaches, particularly if exposed data is capable of being re-identified, can subject data users to significant financial and criminal penalties as noted above.

Additionally, healthcare data can be an attractive target for criminal activity. A CISA/FBI/HHS joint cybersecurity task force recently highlighted increased ransomware activity targeted at healthcare data which is known to have impacted dozens of healthcare facilities.8

Confidentiality

Beyond privacy, protection of other parties’ confidential information is essential.

While privacy laws protect patients and consumers, contractual obligations protect confidentiality. Confidential information can include data about a provider’s volume, cost, volume, and quality. Confidential information can include information about a payer’s network coverage or the specific reimbursement policies between payers and providers.9

Misuse of this information can give rise to FTC action.10 In 2019, the FTC awarded $143.76 million in civil penalties and imposed a $5 billion fine on Facebook.11 In 2019, enforcement actions for violations by healthcare and healthcare-associated organizations alone amounted to nearly half, or 46%, of the total enforcement actions taken by the agency.12

Third-Party Licenses

Copyrighted content is commonly embedded in healthcare data, meaning licenses are required for use of those materials.

For example, use of Current Procedural Terminology (CPT) codes requires a license from the American Medical Association as this is copyrighted material.13

Reputation Risk

There are also reputation risks that may damage an organization’s perceived trustworthiness in the marketplace.14

For example, the notoriety surrounding Cambridge Analytica has shaped Facebook’s perceived trustworthiness for years. Lancet, the oldest peer reviewed medical journal, suffered reputation damage from a poorly conceived (and potentially fraudulent) Hydroxychloroquine study that was later retracted.15,16 The bottom line: while your use might be lawful and contractually permitted, you still run the risk of the perception of misuse.

The bottom line: while your use might be lawful and contractually permitted, you still run the risk of the perception of misuse.

Supplier Risk

All these factors present risks to your ongoing ability to access and use de-identified data. The time and resources required to ingest, analyze, and act upon de-identified data are significant. Disruption to the flow of data could result in serious financial consequences and damage your customer commitments and the underlying relationships.

Accordingly, it is critical to ensure that your source of data has an effective risk mitigation program. Let us look at the levers to mitigate those risks.

Risk Mitigation

Change Healthcare helps its customers mitigate risk using a governance model that ensures evolving risks are effectively identified and incorporated. Change Healthcare recently was recognized as Best Compliance & Ethics Program (small to mid-cap), and Compliance Department of the Year.17 Let’s review how Change Healthcare helps its customers mitigate risk. This governance model is supported by a multi-million dollar per year investment that ensures evolving risks are effectively identified and incorporated.

Principles of Use:

An effective governance program starts with principles of permitted use. Change Healthcare only allows use when it helps inspire a better healthcare system, which includes, but are not limited to the following applications:

  • Improving population health
  • Improving patient outcomes
  • Helping ensure care is convenient and matched to community needs
  • Influencing healthy behavior and empower patients/ consumers to manage/optimize their health
  • Promoting research
  • Allowing for the assessment of outcomes and safety
  • Helping benchmark and improve efficiency and increase value by lowering overall costs
  • Filling care gaps
  • Helping compare costs and experiences for needed care
  • Helping improve capital efficiency and effectiveness
  • Promoting greater healthcare equity and access

We protect against adverse impact. For example, we do not allow uses that deny health insurance. We never sell data, but rather license only for clear and specific restricted use. We impose rigorous standards on our vendors and subcontractors for data, including a licensee-specific certification, security standards, insurance, and audit rights to ensure compliance. Many of these protections have immediate termination rights for unauthorized use.

We adhere to the treatment, payment, healthcare operations (TPO), and associated minimum necessary obligations specified under HIPAA. For example, we do not allow models to be trained on PHI for secondary use.

Privacy Protections:

Change Healthcare data is de-identified using the expert opinion methodology.18 Some of those requirements include:

  • All patient related elements identified by HIPAA are removed
  • All free form text fields are removed
  • Year of birth for patients above age 89 is removed
  • Rare or newsworthy diagnoses/procedures are removed (i.e. “shark bite on right arm” may be covered in the local newspaper)
  • Certain places of service are removed (prisons, homeless shelter, place of employment, etc.)
  • A patients zip3 may be only provided if the zip3 population exceeds 20,00019

We typically require customer-specific certification. A contractual representation not to re-identify is not enough. It is simply too easy to acquire other consumer attributes and inadvertently create an unacceptable risk of re-identification. We negotiate robust audit rights with our customers to ensure ongoing adherence. That audit right can be an effective control you use as part of your own compliance program.

Change Healthcare monitors updates and additions to both federal and state laws that impact the use of data. As of October 2020, there were at least seven privacy bills in U.S. Congress and over 40 in state governments.

Our patent-pending Data Science as a Service (DSaaS) environment offers “always on” protections to help ensure privacy and security adherence. Under Data Services as a Solution (DsaaS), every query and output are monitored to help ensure each use is compliant. This is an offering unique to Change Healthcare.

Confidentiality Protections:

We require explicit written permission from covered entities to de-identify and license data we process on their behalf, and we allow use of de-identified data only when compatible with customer authorization.

Deidentified data may never be used for anticompetitive purposes. Where appropriate, we may require measures about covered entities to be segmented to enable informed healthcare decision making yet protect the interests of the underlying subjects of the data.

DSaaS offers “always on” confidentiality protections to help our data customers maintain high standards for their use of data. Additionally, each DSaaS environment is established uniquely and solely for the customer accessing that store of data. No other customer has access to your DsaaS instance. And we reserve the right to audit use and compliance to help ensure ongoing adherence.

Security Protections

  • We require our licensees have in place up-to-date security protections, including:
    • Data must be encrypted at rest and in transit
    • Data recipients need to have physical facility security in place
    • Data recipients need to have server and workstation security in place
    • Data recipients need to have password management and account access protections in place
    • Access to data is secured using two-factor authentications
    • Data recipients need to have HIPAA privacy and security policies in place
    • Data recipients need to have data privacy and security incident reporting and response policies in place
    • Data recipients need to have risk assessment and risk management protocols in place
  • Our DSaaS environment has built-in “security-bydesign” protections
  • Similar to protections of confidentiality, we reserve the ability to audit use and compliance to help ensure ongoing adherence

Safe Data Use—A Checklist

Help mitigate your risk circumstances:

  • Ensure your use is compliant with privacy, confidentiality, and security regulations.
  • Avoid uses with adverse impact.
  • Ensure that your partner has an active program to monitor the evolving laws regulating the use of healthcare data.
  • Ensure your receipt of data is certified by expert determination methodology for your unique environment. Simply promising not to re-identify is insufficient.
  • Ensure any algorithms you license have been trained on appropriately permissioned de-identified data. Models trained on PHI, without having secondary use permission, represent a serious compliance risk.
  • Ensure all appropriate third-party licenses (for example, the AMA) are in place.

This document highlights numerous diverse risks associated with the use of de-identified healthcare data. Fortunately, research indicates that an effective governance program can be very effective in ensuring de-identified data remains de-identified.20

1. https://www.truevault.com/resources/compliance/how-much-do-hipaa-violations-cost
2. 42 U.S.C. § 1320d–6.
3. https://www.ecwise.com/en/ccpa-uncapped-fines-and-new-data-privacy-rights-preparing-is-essential/
4. https://www.natlawreview.com/article/it-s-finally-final-wait-there-s-more-fall-2020-california-privacy-update
5. https://gdpr.eu/
6. https://dataprivacylab.org/projects/identifiability/paper1.pdf
7. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
8. https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware _Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
9. https://www.hugheshubbard.com/news/avoiding-antitrust-pitfalls-during-pre-merger-negotiations-and-due-diligence#:~:text=The%20FTC%20guidance%20describes%20%22competitively,%2Daggregate%20customer%2Dspecific%20information
10. https://www.ftc.gov/news-events/press-releases/2020/02/ftc-releases-2019-privacy-data-security-update
11. https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions
12. https://www.ftc.gov/reports/annual-highlights-2019
13. https://www.ama-assn.org/practice-management/cpt/ama-cpt-licensing-overview
14. https://www.corporatecomplianceinsights.com/wp-content/uploads/2017/11/Understanding-Reputation-Risk-.pdf
15. https://www.thelancet.com/journals/lancet/article/PIIS0140-6736(20)31180-6/fulltext
16. https://www.thelancet.com/journals/lancet/article/PIIS0140-6736(20)31324-6/fulltext
17. https://www.businesswire.com/news/home/20201217005214/en/
18. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
19. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#zip
20. https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0028071