The healthcare industry’s focus on patient centricity—its emphasis on healthcare consumers, patients and caregivers as the primary health decision-makers—has meant that researchers working on behalf of the industry are looking for patient insights through a variety of channels, from providers, from patients themselves and from biometric data, to name just a few.
However, researchers face many challenges in protecting patients’ privacy: the copious amount of data being collected; the difficulty in keeping patient data absolutely anonymous at all times; the possibility of discovering patient information that the patients themselves are unaware of, such as from genomic sequencing; and the industry as a whole working on innovations that will change diagnosis, treatment and resource allocation that will be a potential minefield for privacy regulations.
The healthcare industry has numerous rules in place to protect patients’ privacy and healthcare information. For example, US patients are covered by the Health Insurance Portability and Accountability Act (HIPAA). Most countries place healthcare information in the sensitive or special category in their legislations.
Healthcare researchers need to understand these guidelines in order to ensure a patient’s privacy isn’t being violated.
HIPAA: How effective is it?
In Europe, privacy is an overarching concern. Everyone is covered by privacy laws in all circumstances, not just when they are using the healthcare system.
Patients in the United States are not protected by overarching privacy laws likeEuropean patients are, but they do have legislation to protect their healthcaredata. Originally enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) principally consists of the Privacy Rule and theSecurity Rule. It covers protected health information (PHI) that is disclosed by patients tocovered entities, which include healthcare providers, health plans and health insurancecompanies, and healthcare clearinghouses such as billing services. Business associates – defined as any organization or person working in association with or providing services to a covered entity that handles or discloses PHI – and their subcontractors are now also covered. Any research firms that receive PHI from covered entities are considered to be business associates.
HIPAA violations are not uncommon. In 2014, the most recent year for which data is available, 17,779 health information privacy complaints were received, up 37% from the previous year. The violations fall under both the Privacy Rule and the Security Rule.
The Privacy Rule establishes national standards for the protection of certain health information. The Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. Types of violations can include IT breaches in which hackers target healthcare data, accidental disclosure in which PHI is disclosed to a person who is not authorized the access it, and data not being processed properly.
HIPAA is not inclusive
Data privacy laws in the US pose one large discrepancy: While healthcare informationis protected under HIPAA, that protection falls away when data are self-reported by thepatient, such as when a person participates in an online survey or voluntarily shares dataonline or via social media. Because the US does not have an overarching privacy law likethe EU, practitioners handling self-reported patient data often turn to Federal Trade Commission regulations.
The data collected through electronic medical records (EMR) or through the HIPAA platformare very powerful. Researchers can use the data in EMRs as long as the data are de-identified. HIPAA very clearly covers 18 identifiers; as long as all 18 have been removed from a dataset, it is considered a de-identified dataset and can be used for research. Another option is to have a qualified statistician determine that the risk is very small that the information could be used to identify the individual.
However, even without using the 18 HIPAA identifiers, data can still be used to identify people. Analysts can use more sophisticated algorithms to determine, for example, which group of people has higher risk to increase insurance premiums. While this would be considered a violation of the basic right to privacy in Europe, privacy laws in the United States would not protect against this sort of data usage.
Other agencies working to protect patients’ privacy
In the United States, data privacy is overseen by the Federal Trade Commission. In 2012, the agency released a report setting forth best practices for businesses to follow to protect consumers’ privacy and give them better control over the collection and use of their personal data.
At a more local level, hospitals often employ an ethics committee or an ethics consultant to advocate for patients and their privacy. Traditionally, the ethics committee works to promote the rights of patients and encourage shared decision making between patients (or their surrogate) and the physician. However, committee members are also on hand to address issues of patient privacy or confidentiality.
How do these rules affect healthcare researchers?
Patient-centric research doesn’t only mean research directly with patients and other healthcare consumers. It also includes asking healthcare providers to release patient information, either via patient records, aggregated data or anecdotal data. The increasing focus on patient privacy has made healthcare practitioners more reluctant to release patient data, and many doctors are confused by what they can and cannot release. In response, doctors will sometimes only talk about aggregated patient information, and some will not participate in any survey that deals with patients rather than inadvertently releasing patient information.
Two solutions exist for using individual patient data for analysis. One is to get the study classified as real-world research. Real-world research encompasses many types of information, including claims data, clinical trial data, data from electronic health records, pharmacy data, and data collected directly from the patient. These data typically conform to privacy regulations because studies that collect real-world evidence are subject to approval and oversight from an Institutional Review Board or an ethics committee approval.
The second solution is a syndicated study. These studies have no sponsor, and an agency is completely responsible for collecting and analyzing data and ultimately sells aggregated reports. That will reduce the risk of the sponsor and healthcare provider violating individual patient data and patient privacy.
The best way to ensure a patient’s privacy isn’t being violated is to receive their consent, offering them the ability to opt-in or opt-out of having their information shared. However, there is some disagreement about whether patients understand what they are giving consent to. After all, privacy policies and terms-and-conditions documents are often quite lengthy and not written in layman’s terms. Therefore, the US Department of Health and Human Services encourages healthcare providers and researchers to adequately inform patients of how their data will be use so patients can make a “meaningful” consent choice.
Source: Kantar Health