According to a new survey, the demand for access to health data is outpacing the ability of organizations to ensure patient privacy. A survey conducted by Privacy Analytics, a de-identification technology vendor, found that more than two out of three healthcare organizations lack complete confidence in their ability to share data without putting patients’ privacy at risk.
The survey, conducted in collaboration with the Electronic Health Information Laboratory, a group that conducts theoretical and applied research on the de-identification of health information, also indicated that despite organizations’ lack of confidence, data sharing activities continue to grow.
The survey, called The State of Data Sharing for Healthcare Analytics 2015-2016, polled 271 professionals with various levels of seniority in their organizations, from the C-suite level to managers and employees. One in three individuals surveyed identified as being responsible for privacy and compliance in their healthcare organization, and another 23 percent work in the IT department. Others surveyed identified themselves as researchers, clinicians, project managers, analyst and consultants.
More than half of the respondents of the survey said they plan to increase the volume of data stored or shared within 12 months and two-thirds currently release data for secondary use. And, secondary use of health data applies to protected health information (PHI) that is used for reasons other than direct patient care, such as data analysis, research, safety measurement, public health, payment or provider certification.
Health records are the leading type of data being stored or shared, followed by medical claims data, trial data, survey responses, membership/enrollment and device data.
The survey findings indicated that individuals lack familiarity with advanced methods of de-identifying data, and, as a result, these individuals release information that has been stripped of its usefulness or share data in a way that puts them at an unacceptably high risk of a breach, the survey authors reported.
And, most organizations use data sharing approaches that can result in unknown data privacy compliance and increased risk, as 75 percent of respondents reported that their organizations use approaches such as data-sharing agreements, data masking or Safe Harbor methodology.
According to the survey authors, these approaches do not adhere to globally accepted data sharing guidelines, including those from Health Information Trust Alliance (HITRUST), the Institute of Medicine (IOM), and the Council of Canadian Academies. Although Safe Harbor is recommended by regulators, it represents a minimum standard for de-identification that can leave data vulnerable to a breach.
While there is currently no universal standard for the de-identification of protected health information (PHI), efforts to create a framework are underway. HITRUST recently released a de-identification framework, which organizations can use when creating, accessing, storing or exchanging personal information.
The survey found that nearly half (48 percent) of respondents cited patient re-identification as a key challenge. Additional challenges include low staff knowledge on managing data safely, low staff knowledge of data sharing practices and tools, cost concerns and lack of organizational policies.