THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE As demand for data sharing grows, healthcare organizations must move beyond data agreements and masking to achieve regulatory compliance PRIVACY ANALYTICS Nothing personal.
INTRODUCTION Healthcare organizations are experiencing greater demand than ever to share data, both internally and externally. Yet, despite the need for sophisticated methods, organizations are relying on rudimentary approaches to managing the privacy and security of their data, leaving them and their patients at risk. In order to begin addressing this gap, the industry must identify what challenges healthcare organizations face and what methods are used when sharing sensitive information. The following summarizes the key findings from The State of Data Sharing for Healthcare Analytics 2015-2016: Change, Challenges and Choice. The survey was launched earlier this year by Privacy Analytics, in collaboration with the Electronic Health Information Laboratory, a group that conducts theoretical and applied research on the de-identification of health information. The survey assessed the state of data sharing in healthcare and the challenges in disclosing data for secondary use. Secondary use of health data applies to protected health information (PHI) that is used for reasons other than direct patient care, such as data analysis, research, safety measurement, public health, payment, provider certification or marketing. Healthcare organizations lack maturity in how they currently utilize their data 1, but data analytics in healthcare is taking hold. Investments made through the HITECH Act and other programs accelerated the adoption of technology, transforming healthcare in recent years. Vast amounts of data are now captured in electronic medical records, medical monitoring tools and information portals. One outcome has been a flood of requests for this sensitive information. From internal groups that want to monitor clinical quality to external organizations that aim to integrate data from various systems, healthcare organizations want to gain a comprehensive view of their patients and encourage innovation. Moving beyond individual data silos to integrated data systems that support decision-making and innovative research holds great promise, but progress to implement this has been slow. While staff, from executives to front-line workers, see the potential of data analytics, most are unsure of how to reconcile the need for detailed and high-quality data with privacy regulations. Because many individuals lack familiarity with advanced methods of de-identifying data, they are releasing information that has been stripped of its usefulness or even worse sharing data in a way that puts them at an unacceptably high risk of a breach. 1
FINDINGS AT A GLANCE THERE IS A LACK OF TOTAL CONFIDENCE IN THE ABILITY TO PROTECT PRIVACY. More than two out of three respondents lack complete confidence in their organization s ability to share data without putting privacy at risk. THE DEMAND FOR DATA IS GROWING AS FAST AS THE AMOUNT OF DATA BEING COLLECTED. More than half of the respondents plan to increase the volume of data stored or shared within 12 months and two-thirds currently release data for secondary use. INDIVIDUALS LACK FAMILIARITY WITH ADVANCED METHODS OF DE-IDENTIFYING DATA. As a result, they release information that has been stripped of its usefulness or share data in a way that puts them at an unacceptably high risk of a breach. MOST ORGANIZATIONS USE APPROACHES THAT CAN RESULT IN HIGH RISK DATASETS. More than 75 percent of respondents said that their organization uses one or more of the following: data-sharing agreements, data masking or Safe Harbor. HEALTHCARE ORGANIZATIONS ARE SLOWLY STARTING TO MONETIZE DATA ASSETS. One in six says they share data with other organizations for profit. 2
SURVEY PARTICIPANTS A total of 271 individuals completed the online survey between July and September 2015. The respondents held various levels of seniority in their organization, from the C-level (33%) to managers (40%) and employees (28%). Approximately one in three individuals surveyed is responsible for privacy and compliance in their organization. Another 23% work in the IT department. Others identified themselves as researchers, clinicians, project managers, analysts and consultants. This diversity reflects the broad spectrum of individuals involved in privacy decision-making. Respondents were mainly located in the U.S. (75%) and Canada (18%), with a small number of individuals located in Europe (4%), Asia (3%) and other regions. LEGAL 5% PRIVACY 14% OTHER 42% COMPLIANCE 16% RESPONDENT ROLES IT 23% RESPONDENT JOB ROLES Other includes individual cross-appointed to more than one role, as well as those involved in management, research, clinical roles, finance, and marketing. 3
KEY FINDINGS The State of Data Sharing for Healthcare Analytics 2015-2016: Change, Challenges and Choice market survey reveals that, while healthcare organizations are seeing a surge in the demand to share data for secondary use, data analytics in healthcare is still immature. As a result, organizations can expect to feel mounting pressure to bring their data storage and sharing practices in line with emerging industry standards. HITRUST, the Institute of Medicine, PhUSE and the Canadian Council of Academies have all put forward guidelines that recommend the use of risk-based de-identification when disclosing PHI for secondary uses. The major findings of this survey reflect overall trends being seen in healthcare analytics. Results found here are consistent with those of surveys conducted by other reputable groups with interests in data security and privacy. One finding from the 2015-2016 survey revealed that more than two out of three respondents lack complete confidence in their organization s ability to responsibly share data for secondary uses without putting individual privacy at risk. This is almost identical to a recent ISACA survey that found only 29% of privacy professionals are very confident in their enterprise s ability to ensure the privacy of its sensitive data. 2 To gain insight into healthcare organizations need to protect patient privacy, the challenges faced, and the approaches currently being used, the survey presented questions in three sections: Basics of data sharing, Current uses of data, and Challenges. The main findings from each section are presented below. 4
BASICS OF DATA SHARING Respondents see demand for their data coming from a variety of sources, both internal and external, and many already release data for secondary use. Internal uses of data include any data sharing within the organization that is not for providing care, such as quality assurance for products and fraud detection. While external data sharing occurs primarily with academic institutions for research and analysis, there is interest in greater sharing with other outside organizations, too. External uses of data include any use of data by an outside organization, such as for revenue or reporting purposes. Nearly two-thirds (62%) of respondents indicated that their organization currently releases data for secondary use. A majority (56%) are also planning on increasing the volume of data they share in the next 12 months, regardless of whether or not they already share data with others. Respondents who expressed an interest in de-identification said that it is primarily due to increased demand to share data externally (45%) and the desire to make use of sensitive data internally (41%). Other reasons include validation for compliance (26%), software testing (17%) and research (4%). The majority of respondents who already share data, either within their organization only or with another firm externally, are interested in sharing data externally in the future with academic institutions and researchers (46%). A large portion of respondents is interested in sharing data externally in the future with pharmaceutical companies (27%) and device manufacturers (14%). Health records are the leading type of data being stored or shared (55%) by respondents, followed by medical claims data (44%), trial data (36%), membership enrollment (33%), survey responses (33%), and device data (23%). In summary, demand for data is on the rise, including for organizations that only use data internally. It is important for organizations using data for any type of secondary purpose, including internal uses such as quality assurance, to protect it. 5
INTEREST IN USING DE-IDENTIFICATION Using data internally Sharing data externally Compliance and validation Software testing Research 0 5 10 15 20 25 30 35 40 45 50 Percentage of respondents TYPES OF DATA BEING SHARED Health records Medical claim data Survey responses Membership or enrollment data Trial data Device data 0 5 10 15 20 25 30 35 40 45 50 55 60 Percentage of respondents 6
CURRENT USES OF DATA Survey respondents indicated that they anticipate the demand for data to grow in the foreseeable future, with a few already starting to monetize their data. Those who have started monetizing data are slightly more inclined to use Safe Harbor de-identification strategies, but most are relying on data sharing agreements and masking techniques only. While Safe Harbor substantially reduces the risk Regardless of whether or not they currently share data, the majority of respondents foresee an increase in their data sharing practices within the next year. of re-identification, it does not provide the same level of rigor as risk-based de-identification thereby putting organizations at an unnecessarily high risk of a data breach. While data are often being used for secondary analysis such as research or fraud detection (60%), the largest use is for primary analysis, including quality assurance (72%). This finding is in line with a HealthLeaders Media survey conducted earlier this year showing the top analytic use of data is improving clinical quality. 3 The move towards monetizing data assets will be propelled by changes to hospital reimbursements. The shift to pay-for-performance models means CURRENT USES OF DATA Sharing for primary analysis Sharing for secondary analysis Sharing for profit 0 10 20 30 40 50 60 70 80 Percentage of respondents 7
that providers will likely see declining reimbursements in the near term. Health insurers will also feel the pinch, caught between health providers and their clients. As business fundamentals become more important, data analytics will give insights on ways to cut costs and improve efficiencies. 4 But, expect these players to increasingly look to monetization of their data as a way to generate new revenues. The proportion of respondents that have begun monetizing their data assets (19%) is in line with research from Gartner that reported 30 percent of U.S. businesses will monetize their information assets by 2016. 5 When it comes to data management practices, two-thirds of respondents are managing the majority of their data sharing practices in-house. When asked to identify their current data management practices, more than 75 percent of respondents said that their organization uses one or more approaches that could result in unknown data privacy compliance and risk, such as data-sharing agreements (50%) and data masking (31%). The use of Safe Harbor methodology is also on the rise (28%). Although Safe Harbor is recommended by regulators, it represents a minimum standard for de-identification that can leave data vulnerable to a breach. One in 13 respondents said their organization currently uses no data management practices. DATA MANAGEMENT TECHNIQUES Data sharing agreements Masking Safe Harbor de-identification Anonymization or de-identification Third party de-identification Not sure/none 0 5 10 15 20 25 30 35 40 45 50 Percentage of respondents 8
However, one in five respondents says that their organization has taken steps to reduce risk by using expert determination de-identification software or third-party de-identification. This type of de-identification represents the most stringent data protection available. These organizations are more likely to be handling health records (57%), medical claims data (51%) or trial data (51%), some of the most sensitive types of data being handled today. While this small subset of organizations that handle sensitive data understands the complexities around data sharing, many more are leaving themselves open to unnecessary levels of risk and noncompliance. CURRENT CONCERNS IN DATA SHARING Re-identification concerns Cost Low knowledge on managing data Low knowledge on sharing and software Lack of data use policy No concerns 0 5 10 15 20 25 30 35 40 45 50 Percentage of respondents MOST IMPORTANT ELEMENTS OF A PRIVACY SOLUTION Certifying compliance Granular high-quality data Tool fits into current infrastructure Tool is simple Able to understand risk of re-identification 0 1 2 3 4 5 6 7 8 9 10 Rated by importance (10 being the most important) 9
CHALLENGES Healthcare organizations are slowly beginning to unlock their data for secondary uses. Faced with requests for sensitive information, they must balance the demand for high-quality, granular data with requirements for privacy compliance. Unfortunately, two out of three respondents lack complete confidence in their organization s ability to share data without putting individual privacy at risk. The demand for data, combined with the magnitude of PHI being collected in electronic medical records, medical monitoring apps and other healthcare networks, makes this a cause for concern. Healthcare is a heavily regulated environment where failure to act with care not only puts patient privacy at risk but exposes the organization to legal, financial and reputational penalties if there is a breach. Confidence in protecting privacy is correlated to an organization s data management practices. Respondents whose organizations use de-identification software or third-party de-identification services are more likely to have complete confidence in the ability to responsibly share data for secondary use. Respondents whose organizations use de-identification software or services are more likely to have complete confidence in the ability to responsibly share data for secondary use. Nearly half (48%) of the respondents cited preventing patient re-identification as a key challenge when storing and sharing data, with concern greatest among those who already share their data. Additional challenges include low staff knowledge on managing data safely (26%), low staff knowledge of data sharing practices and tools (25%), cost concerns (24%), 10
and lack of organizational policies (23%). Combined, low staff knowledge issues were identified as a challenge by fully half (51%) of the respondents. This is consistent with other surveys that found overcoming insufficient skills in analytics to be the top tactical challenge to performing analytics. 6 Knowledge gaps are a major concern and more education and training on de-identification and best practices in data management are needed at many organizations. When asked about privacy discussions within their own organizations and the benefits of data management solutions, reduced risk of privacy breaches and security were cited most often, followed closely by confidence in regulatory compliance. Subsequently, when asked about the importance of various privacy solutions, the most highly rated is the Ability to certify that data is compliant. This was found to be Very Important by more than 41% of the respondents. The ability to maintain the granularity of data was also frequently identified (by 32%) as Very Important. Thus, it would appear that healthcare organizations are seeking ways to responsibly share high-quality data while ensuring that they meet regulatory compliance. De-identification [allows us] to provide growth for our corporate culture of compliance. -Anonymous survey respondent In summary, respondents noted that their chief concern of protecting patients from re-identification is difficult to solve given a lack of knowledge and a lack of policy to achieve compliance. 11
CONCLUSION The growing demand to share health data brings with it growing risks. The proliferation of PHI and subsequent requests for data is pushing the boundaries of compliance as organizations try to satisfy demand. The response has been to err on the side of caution and keep data locked away. Unfortunately, most organizations still rely on rudimentary data management approaches, such as data sharing agreements and masking, that fail to fully comply with data protection laws and which fall far short of emerging standards that have universally recommended the need for risk-based de-identification when sharing data for secondary purposes. The number of organizations yet to embrace these more advanced approaches to data management is indicative of the slow pace of change in the industry, particularly when it comes to information technology. Without a staff that is fully knowledgeable of the tools and techniques to share data safely, organizations will continue to lack confidence in their ability to protect privacy when disclosing data. This should spur organizations to reduce their reliance on ad hoc practices and seek out education and expertise on better ways to responsibly share sensitive data. The results of the market survey are indicative of the gap between regulatory requirements and the industry s preparation to meet them, as was noted in a Deloitte Brief on privacy and security of protected health information. 7 The HITECH Act introduced a requirement for periodic audits of covered entities and business associates to check compliance with HIPAA Privacy, Security and Breach Notification Rules. The importance of ongoing risk analysis will be a central feature of these audits. A pilot audit program conducted in 2013 showed that few healthcare organizations had appropriate controls in place and that the industry needed to significantly improve its security and privacy programs. With the permanent audit program about to come into existence, 8 the clock has run out on organizations that have delayed the implementation of rigorous, risk-based privacy protocols and practices. Those who are in charge of storing and sharing PHI know that they must do so responsibly. The responses to this survey echo their struggles to prevent patient re-identification and meet regulatory compliance. Many organizations feel unprepared to responsibly store and share data for secondary purposes, and thus, are unable to advance analytics in their organization. Those organizations that have taken steps to improve their understanding of de-identification and follow emerging standards, like the Health Information Trust Alliance (HITRUST) and PhUSE guidelines, are in an advantageous position in the emerging field of healthcare analytics. They will benefit from the ability to broadly share data with small downside risk and confidently monetize their data. 12
METHODOLOGY Privacy Analytics sent a survey invitation to approximately 8500 professionals in their database who have responsibilities around PHI. Recipients work in a variety of settings, including hospitals and other healthcare providers, at healthcare payers, pharmaceutical and device manufacturers, research organizations and public agencies. Responses were collected from 339 professionals over a nine-week period from July to September 2015. Of those 271 individuals completed the survey, forming the dataset used in this report. The margin of error for the results is +/- 5.2%, at the edge of a 95-percent confidence interval. In order to gather responses anonymously, the online survey software SurveyMonkey was used. A link to the survey was sent to recipients via email and was also posted to the Privacy Analytics website. Four out of five people who initiated the survey accessed it via the link in their email. 13
REFERENCES 1 International Institute for Analytics and HIMSS Analytics. (2014, February 24). The State of Analytics Maturity for Healthcare Providers: The DELTA TM Powered Analytics Assessment Benchmark Report. HIMSS Analytics. Retrieved from http://www.himssanalytics.org/sites/default/files/delta%20powered%20suite%20faq_june2015_0.pdf 2 ISACA (2015). Keeping a Lock on Privacy: How Enterprises Are Managing Their Privacy Function. ISACA. Retrieved from http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/keeping-a-lock-on-privacy.aspx 3 HealthLeaders Media (2015, April). IT and the Analytics Advantage: Managing Data to Master Risk. HealthLeaders Media. Retrieved from http://healthleadersmedia.com/ content/tec-315376/intelligence-report-slideshow-it-and-the-analytics-advantagemdashmanaging-data-to-master-risk 4 Prewitt, Edward (2012, June). HealthLeaders Media Breakthroughs: The Promise of Healthcare Analytics. HealthLeaders Media. Retrieved from http://healthleadersmedia. com/breakthroughs/281331/the-promise-of-healthcare-analytics 5 Gartner (10 January, 2013). Gartner Predicts 30 Percent of Businesses Will Be Monetizing Their Information Assets Directly by 2016. Retrieved from http://www.gartner.com/ newsroom/id/2299315 6 HealthLeaders Media (2015, April). IT and the Analytics Advantage: Managing Data to Master Risk. HealthLeaders Media. Retrieved from http://healthleadersmedia.com/ content/tec-315376/intelligence-report-slideshow-it-and-the-analytics-advantagemdashmanaging-data-to-master-risk 7 Deloitte Center for Health Solutions. (2014). Issue Brief: Update: Privacy and Security of Protected Health Information Omnibus Final Rule and stakeholder considerations. Deloitte LLP. Retrieved from http://www2.deloitte.com/content/dam/deloitte/us/documents/life-sciences-health-care/us-lshc-privacy-and-security.pdf 8 Dvorak, Katie (2015, September 3). OCR picks vendor for second phase of HIPAA audit program. FierceHealthIT. Retrieved from http://www.fiercehealthit.com/story/ocr-picksvendor-second-phase-hipaa-audit-program/2015-09-03 14
PRIVACY ANALYTICS Nothing personal. www.privacy-analytics.com