A recent survey conducted by Privacy Analytics, a Canadian technology firm specializing in data masking and data de-identification technology, indicates two out of three healthcare organizations do not have complete confidence in their ability to share patient health information without placing patient privacy at risk.
HIPAA and Data Sharing
Under the HIPAA Privacy Rule, covered entities are not permitted to share the Protected Health Information unless prior authorization has been obtained from the patient, unless those data have first been de-identified – 45 CFR §164.502(d). When de-identifying data, covered entities must ensure the risk of re-identification of patients is kept to an acceptable level: the use of Expert Determination and the Safe Harbor model are suggested – 45 CFR §164.514(a)-(b).
When sharing data, many HIPAA-covered entities opt for the Safe Harbor model, which requires the removal of 18 identifiers from the data prior to those data being disclosed to a third-party for research studies, policy assessment, etc. Unfortunately, removing this information limits the usefulness of the data.
Should those identifiers not be stripped out of the data, it is all too easy for patients to be re-identified as Harvard researchers have previously shown. A 2013 study revealed that 42% of patients were able to be re-identified from a public DNA study when personal identifiers had been stripped from the data.
Healthcare Data Sharing Study Results
The Privacy Analytics survey was conducted on 271 participants, including employees, managers, and C-suiters involved in privacy decision-making processes.
There is growing pressure on healthcare organizations to share data internally and externally. 62% of respondents indicated their organization already shares data for secondary use, while 56% are planning to increase data sharing over the course of the next 12 months. 46% of respondents who already share data said they were interested in sharing data with external organizations for research purposes. 27% said they would like to share data with pharmaceutical companies, and 14% with medical device manufacturers. Health records, medical claim data, and trial data are the most common data currently being shared.
While data are being shared, the majority of organizations lack confidence in their ability to share those data without the risk of patient re-identification.
Lack of Confidence in Healthcare Data Sharing
According to the survey, 50% relied on data sharing agreements, 31% on data masking, and 28% used the HIPAA Safe Harbor methodology. More than 75% were therefore relying on data de-identification methodologies that involved unknown data privacy compliance and increased risks.
The lack of confidence may be linked to a lack of understanding of advanced methodologies that can be used to de-identify data according to the study. 51% of respondents claimed they were unaware of these advanced methods. Consequently, they were providing data that have been stripped of identifiers in accordance with HIPAA Rules, and along with the removal of that information went much of the usefulness of those data.
According to Khaled El Emam, CEO, Privacy Analytics, “The increasing demand on healthcare organizations to share data, both internally and externally, is pushing the boundaries of data privacy regulations.”
Further information on HIPAA requirements for the de-identification of Protected Health Information can be found on this link.