How private is private?
Pity the patient in search of a firm definition of privacy – at least where their data is concerned. Two years after the European Union implemented its General Data Protection Regulation (GDPR), discussions about privacy in healthcare have gathered momentum around the globe, not least in the US, where change is afoot at both state and federal levels. But variations and exemptions abound.
In January, the arrival of the California Consumer Privacy Act (CCPA) set a localised standard in the US that is being closely watched by other states – particularly for its considerable likely impact on healthcare data privacy compliance. In Washington DC, the ONC is pushing ahead with planned adaptations for HIPAA that will take into account the rapid evolution of data sharing across the healthcare landscape during the last 20 years.
In the short term these may evolve within existing statute, but in the long run bigger structural changes are likely – and in any case, the speed of development is likely to be slow in the year of a presidential election.
While there might be a perception that GDPR has been a significant global influence on data privacy law, the differences in the way healthcare data is stored and shared across national and international healthcare markets mean that it would be practically impossible to adopt it as a standard framework. The most significant difference between GDPR and CCPA, for example, is scale: the former concerns any global company that transacts within an EU country (a market of more than 550 million residents); the latter, despite a GDP that makes the state the equivalent of the world´s fifth largest country, only impacts on companies seeking to trade with citizens of California.
SUPERFICIAL DATA GOVERNANCE SIMILARITIES
Beyond that basic consideration, fundamental differences lie in the complexities of these landmark pieces of legislation. For example, GDPR covers all aspects of data collection, storage, processing, sharing and cross-border transfer, and applies to both the data processor and controller.
CCPA applies to businesses, but doesn't include not-for-profit organisations and for-profit businesses with revenue of less than $25 million. In terms of scope, it applies to companies that generate more than 50% of their revenues by monetising the data of California residents. The minimum threshold for consumer data is 50,000 residents – and unlike GDPR, which holds data privacy as a fundamental right, CCPA is focused entirely on the rights of the California consumer.
This specific focus – not unlike HIPAA before it, which was originally drafted for the healthcare insurance sector – creates a patchwork of application and interpretation and above all, much uncertainty for the patient who ostensibly owns their data.
“Global regulations like GDPR, CCPA, PIPEDA (Canada´s data privacy law) and LGPD (the equivalent in Brazil) all seek to protect a consumer from the impact of poor data governance policies,” says Tim Mackey, senior principal consultant at the Synopsys CyRC (Cybersecurity Research Centre). “Key to these regulations are the dual concepts of consent and appropriateness. Did the organisation collecting the information obtain consent for the data collected and was the user providing consent aware of how the data would be managed?”
Mackey says that while patients might be familiar with HIPAA requirements of consent for treatment and data sharing with payers, they are likely to be unaware of how their health information is stored and protected from unauthorised access.
“One of the key lessons from the GDPR experience is that a clear identification of who collects data and who processes data was required,” he says. “In so doing, the [regulation's] authors recognised that data processing is a key component of modern business and that the organisation delivering the service does so under contract terms set by their customer. In effect, the entity collecting the data is the customer of the entity processing.”
This has two consequences: the data collector is in a position to define the rules for how their data should be handled. And the data collector must adhere to a set of responsibilities to ensure that users are aware of their rights and that sound judgement is exercised when selecting service providers.
DATA STEWARDS NOT OWNERS
“The same paradigm could easily apply for care providers, but with the recognition that certain aspects of privacy regulations, like a right to be forgotten, simply can't apply in a healthcare scenario,” says Mackey. “Applying data sharing and privacy principles to health data required a shift in concept from data ownership to data stewardship.
“Under a stewardship model, all providers in the chain of care from prenatal through to end of life share responsibility for all data collected on a given individual. Any weakness in the security practises and data management processes implemented by providers along the chain potentially discloses a patient´s health history and creates the potential for incorrect data, which could negatively impact decisions on future care.”
For Richard Cramer, chief healthcare strategist at enterprise cloud data management specialist Informatica, this is also about a shift in focus from compliance with regulation – whatever form that regulation takes today or in the future – to good data governance. He says that rather than disappearing, data silos have simply grown as data accumulates, to the point where they are out of control. With data chaos on both source and consumption sides, the only solution is an automated data catalogue that establishes the location of data and who is using it.
“We used to lament the complexity of data as something that had to be corrected,” he says. “Today, we have to recognise that data messiness is a characteristic of data – and cataloguing is the solution.”
Legislation itself is in danger of becoming a distraction in the ongoing data privacy debate. Cramer suggests that GDPR – and emerging legislation like CCPA, which appears to share much of its DNA with GDPR – is ultimately about good governance. It is less helpful at defining the nature of the data. Pinning down data held by an organisation exempt from HIPAA regulation, for example, remains frustratingly opaque – and these are issues that have yet to come home to roost.
“The kernel of the debate is the convergence of modern data management within regulatory compliance,” he says. “We now have an enormous volume of data that should be protected health information – but it´s been created by a slew of devices and tools, outside the entities that HIPAA says need to be regulated in a certain way.
“We need to shift our focus from defining entities that need to be regulated, to data that needs to be defined by type and use.”
Cramer says the healthcare sector has a longstanding history of providers wanting to restrict access to data and analytics in their domain. In a world striving to deliver comprehensive continuity of care, data sharing is only going to become more important.
The way in which data can be used and disclosed should be a fundamental issue for regulation and legislation going forward, agrees Jeff Coughlin, senior director federal and state affairs at HIMSS.
HIPAA has not been updated in 20 years and it simply doesn't take into account today's digital health economy and the state of play for visual health delivery. The market must move to better models that enable and facilitate information sharing. Regulation is key, but there is still enough confusion around HIPAA, for example, to create uncertainty for patients, providers and vendors.
“HIPAA is a paternalistic model in a way,” he says. “Providers don't want to share information with you because they want you to keep coming back to them for care. But they sometimes hide behind the idea that HIPAA prevents sharing. It doesn't. P stands for portability, not privacy.”
This leaves healthcare in something of a Catch-22 situation. Despite the advance of regulation, patients are not necessarily informed about what privacy means, how their data will be used or shared. Ultimately, all parties in the chain need to be able to see what the rules are – and then abide by them.