Does health data usage not covered by HIPAA need more oversight?
The Privacy and Security Workgroup of the Health IT Policy Committee is preparing a set of recommendations about how the Office of the National Coordinator for Health IT should approach “big data” issues for both HIPAA-covered entities as well as for the marketplace outside the HIPAA sphere.
At a June 8 meeting, Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, LLP and the workgroup’s chair, led a discussion of draft recommendations to identify gaps in law and regulation around issues including data de-identification and security as well as areas for further inquiry.
McGraw noted that outside the HIPAA-covered space, there is not a clearly defined right for patients to access data collected about them. She said there has been a debate with respect to medical devices, such as one patient who made a public argument that he had the right to access data from his pacemaker. The workgroup proposes to remind ONC that outside the HIPAA space, voluntarily adopted codes of conduct can be enforced by the Federal Trade Commission, and many of those codes are under development.
During the meeting there was discussion of, but not agreement about, what it would mean to ask for greater transparency about the algorithms healthcare organizations use to make decisions about individuals and populations, and whether provisions of the Federal Credit Reporting Act could be applied to give consumers more access and help promote trust. Several committee members mentioned that the algorithms themselves could be accurate and valid, yet still be used for discriminating against specific populations or individuals. They also said there would be resistance to opening up proprietary analytics systems for inspection.
“All of this rests on a presumption of data quality,” said Gil Kuperman, director of interoperability informatics at New York-Presbyterian Hospital. “If you have poor quality data, your model could be wrong. Or the model could be good, but if the input data is wrong, you get a poor prediction. To me the quality of the data is still a challenge around ‘big data’ approaches.”
McGraw admitted the workgroup has more questions than obvious answers and no consensus about areas of potential harm to consumers. She said there is a need for more inquiry to understand the scope of the issue and where there are gaps in legal protections. There was a general reluctance among workgroup members to suggest that Congress act, given its questionable track record legislating about complex health IT issues.
The workgroup is drafting language to call on the HHS Office for Civil Rights to be a better “steward” of HIPAA de-identification standards and conduct ongoing review of the methodologies and policies and seek assistance from third-party experts, such as NIST. But it is still not clear how big a problem data re-identification is. Noting that the workgroup was not made aware of any HIPAA de-identified data set that has been re-identified, McGraw said, “It is never good to regulate a problem that doesn’t exist yet.”