In recent years, there has been a dramatic increase in the ability of organizations to create and analyze large health data sets, often referred to as “Big Data.” In healthcare, Big Data has created many new opportunities to improve the quality of care, improve treatment of diseases, and advance public health. However, the analysis of Big Data involves certain obstacles because Big Data typically involves data obtained from multiple sources and of various types—clinical data from health care providers, data from government agencies, and data from consumers.
While Big Data integrates different types of information from different sources, U.S. privacy law is sector-specific. It regulates specific types of entities (such as health plans and health care providers) and provides special protection for certain sensitive information (such as HIV or genetic information). Further, the laws differ between states. This means that the use and disclosure of Big Data in healthcare requires an understanding of the source and type of the data, the laws that govern such information, and the impact of these laws on data use and disclosure. Although this tension between the potential of Big Data and the state- and entity-specific legal framework may ultimately prompt a reconsideration of the ways in which personal healthcare information is protected, this article offers assistance in navigating the existing regulatory structure.
At the federal level, the Health Insurance Portability and Accountability Act (HIPAA) governs a broad range of health information. Protected Health Information (PHI) includes not only clinical information, but also demographic and financial information about an individual that is created or received by a Covered Entity. Although the definition of PHI encompasses a broad range of identifying information regarding an individual’s past, present, or future health condition, healthcare services, or payment for services (including demographic information), HIPAA applies only to covered entities—health plans, health care clearinghouses, and certain healthcare providers that engage in standard electronic transactions—and their business associates, i.e., any downstream subcontractors that provide financial, administrative, data transmission and certain other services for or on behalf of covered entities. Organizations that store or transmit PHI such as electronic health record (EHR) vendors and health information exchanges (HIEs) are all considered business associates under these regulations, and a covered entity may also act as a business associate of another covered entity.
HIPAA prohibits the use or disclosure of PHI without individual authorization other than for treatment, payment, and health care operations and for certain limited purposes as defined in the Privacy Rule. For example, uses of PHI for research or marketing require individual authorization. Not all health information held by a covered entity is subject to HIPAA. For example, HIPAA does not govern the health information in education records (such as records from school health clinics) or employment records held by a covered entity in its role as employer (such as records related to sick leave, or records generated in an on-site health clinic). HIPAA also does not govern health information gathered directly from consumers, such as information gathered through online applications. In addition, other records are specifically protected under other federal laws. For example, the federal Confidentiality of Alcohol and Drug Abuse Patient Records law protects patient records that are maintained by, or in connection with, a federally-assisted drug or alcohol program.
Strategies for Use of Big Data under HIPAA
To facilitate the analysis of Big Data in compliance with HIPAA, several strategies are outlined below:
- Internal Analysis for Covered Entities’ Treatment, Payment, or Health Care Operations (TPO). A covered entity may analyze PHI for its own treatment, payment, and health care operations and may analyze the PHI of entities with which it has entered into an Organized Health Care Arrangement (OHCA), as defined in the Privacy Rule. TPO encompass a broad range of analyses, such as those in support of utilization review, quality assurance, and business planning.
- Creation and Use of Statistically De-Identified Data. Covered entities or business associates may de-identify PHI under the Privacy Rule and may generally use such de-identified information without limitation. There are two methods through which PHI may be de-identified under HIPAA: the Safe Harbor Method (which requires the removal of 18 identifiers) and the Expert Determination Method (which involves a formal determination by a qualified expert). The Expert Determination Method is likely a better alternative to satisfy the de-identification standard, because it allows for preservation of a greater number of data elements and a more robust data set than under the Safe Harbor Method.
- Creation of Research Databases for Future Research Uses of PHI. Although there are several methods for creation of a research database under HIPAA authorization, for creation of the database and future research, uses should be requested from patients or consumers to ensure maximum flexibility for future research.
State Laws—Considerations for Uses of Data
Although technology and federal policy is leading to the amassing of a growing body of Big Data, state laws are inconsistent and can act as barriers to the exchange and analysis of health information. Whereas HIPAA establishes a federal floor for protection of health data that is consistent across all types of health information, it does not preempt contrary state laws or regulations that are more stringent than HIPAA with respect to the protection of the privacy of health information.
Data Mapping for Uses of Data under State Law
State laws generally vary depending on the factors discussed below. To address the multiplicity of state law requirements, it is essential to map the type of health information, source, and proposed uses to ensure compliance with state privacy law. Such uses may require a more individualized strategy for sensitive data, such as segmentation of certain data elements or records that contain these data.
- Type of Health Information. Almost all states have laws related to “specially protected” information, e.g., sensitive information such as genetic information, HIV test results, substance abuse information, and mental health information. Therefore, any analysis of the use of health care databases must begin with the type of information involved.
- Source of Data. State laws may apply to certain entities, such as health care providers or insurers, or may apply to health information generally. This means that information gathered directly from consumers, medical device companies, and other entities may not be subject to the same restrictions. Therefore, any determination of the applicability of state law also depends on the source of the data.
- Uses of the Data. Although HIPAA governs the uses and disclosures of PHI, many state laws only restrict the disclosures of health information. This means that state law restrictions may not apply to uses of the data by the entity that created the information.
- State Law Restrictions. Research uses of the information are often subject to separate authorization requirements. Additional restrictions may also apply to any uses for marketing or related secondary purposes and may require separate authorization. Certain states also impose specific requirements for valid individual authorizations for the use and disclosure of health information. Therefore, organizations should have some mechanism to track patient authorizations for disclosures and uses of health data.
In consideration of the complex regulatory scheme governing the privacy of individually identifiable health information, organizations using Big Data in healthcare should map the source, type, uses, and legal restrictions of data to identity potential barriers to proposed uses of data. Advance planning for any proposed secondary uses of such data is critical, as strategies must be developed to address the segmentation of protected data elements or records, authorization/consent, or methods for de-identification of the information.
M. Leeann Habte is a senior counsel with Foley & Lardner LLP, where she is a member of the Health Care Industry Team. She is also a Certified Information Privacy Professional and a member of the firm’s Privacy, Security, & Information Management Practice. A former director at UCLA and the Minnesota Department of Health, she has practical experience in developing and implementing data privacy and security policies and procedures and managing information technology resources.