Skip to content Skip to navigation

Federal and State Privacy Laws: Strategies for Analysis of Big Data in Healthcare

December 5, 2014
by M. Leeann Habte
| Reprints
Access to Big Data means complying with federal as well as multiple state privacy laws. A legal expert offers advice for meeting existing legal requirements at both levels

In recent years, there has been a dramatic increase in the ability of organizations to create and analyze large health data sets, often referred to as “Big Data.” In healthcare, Big Data has created many new opportunities to improve the quality of care, improve treatment of diseases, and advance public health. However, the analysis of Big Data involves certain obstacles because Big Data typically involves data obtained from multiple sources and of various types—clinical data from health care providers, data from government agencies, and data from consumers.

While Big Data integrates different types of information from different sources, U.S. privacy law is sector-specific. It regulates specific types of entities (such as health plans and health care providers) and provides special protection for certain sensitive information (such as HIV or genetic information). Further, the laws differ between states. This means that the use and disclosure of Big Data in healthcare requires an understanding of the source and type of the data, the laws that govern such information, and the impact of these laws on data use and disclosure. Although this tension between the potential of Big Data and the state- and entity-specific legal framework may ultimately prompt a reconsideration of the ways in which personal healthcare information is protected, this article offers assistance in navigating the existing regulatory structure. 

Federal Laws

At the federal level, the Health Insurance Portability and Accountability Act (HIPAA) governs a broad range of health information. Protected Health Information (PHI) includes not only clinical information, but also demographic and financial information about an individual that is created or received by a Covered Entity. Although the definition of PHI encompasses a broad range of identifying information regarding an individual’s past, present, or future health condition, healthcare services, or payment for services (including demographic information), HIPAA applies only to covered entities—health plans, health care clearinghouses, and certain healthcare providers that engage in standard electronic transactions—and their business associates, i.e., any downstream subcontractors that provide financial, administrative, data transmission and certain other services for or on behalf of covered entities. Organizations that store or transmit PHI such as electronic health record (EHR) vendors and health information exchanges (HIEs) are all considered business associates under these regulations, and a covered entity may also act as a business associate of another covered entity.

HIPAA prohibits the use or disclosure of PHI without individual authorization other than for treatment, payment, and health care operations and for certain limited purposes as defined in the Privacy Rule. For example, uses of PHI for research or marketing require individual authorization. Not all health information held by a covered entity is subject to HIPAA. For example, HIPAA does not govern the health information in education records (such as records from school health clinics) or employment records held by a covered entity in its role as employer (such as records related to sick leave, or records generated in an on-site health clinic). HIPAA also does not govern health information gathered directly from consumers, such as information gathered through online applications. In addition, other records are specifically protected under other federal laws. For example, the federal Confidentiality of Alcohol and Drug Abuse Patient Records law protects patient records that are maintained by, or in connection with, a federally-assisted drug or alcohol program. 

Strategies for Use of Big Data under HIPAA

To facilitate the analysis of Big Data in compliance with HIPAA, several strategies are outlined below:

  • Internal Analysis for Covered Entities’ Treatment, Payment, or Health Care Operations (TPO). A covered entity may analyze PHI for its own treatment, payment, and health care operations and may analyze the PHI of entities with which it has entered into an Organized Health Care Arrangement (OHCA), as defined in the Privacy Rule. TPO encompass a broad range of analyses, such as those in support of utilization review, quality assurance, and business planning.
  • Creation and Use of Statistically De-Identified Data. Covered entities or business associates may de-identify PHI under the Privacy Rule and may generally use such de-identified information without limitation. There are two methods through which PHI may be de-identified under HIPAA: the Safe Harbor Method (which requires the removal of 18 identifiers) and the Expert Determination Method (which involves a formal determination by a qualified expert). The Expert Determination Method is likely a better alternative to satisfy the de-identification standard, because it allows for preservation of a greater number of data elements and a more robust data set than under the Safe Harbor Method.
  • Creation of Research Databases for Future Research Uses of PHI. Although there are several methods for creation of a research database under HIPAA authorization, for creation of the database and future research, uses should be requested from patients or consumers to ensure maximum flexibility for future research.

State Laws—Considerations for Uses of Data