Health Data Governance: Privacy, Monitoring and Research - Policy Brief



Similar documents
How To Use An Electronic Health Record

OECD Study of Electronic Health Record Systems

Electronic Health Record Systems and Secondary Data Use

ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT

TOWARDS PUBLIC PROCUREMENT KEY PERFORMANCE INDICATORS. Paulo Magina Public Sector Integrity Division

Healthcare Coalition on Data Protection

4. ROLE OF PRIVATE SECTOR IN HEALTH CARE IN INDIA CHALLENGES, OPPORTUNITIES & STARTEGIES

Delegation in human resource management

INTERNATIONAL PHARMACEUTICAL PRIVACY CONSORTIUM COMMENTS IN RESPONSE TO THE CALL FOR EVIDENCE ON EU DATA PROTECTION PROPOSALS

A Good Life in Old Age?

Stakeholders meeting. Ethical protocols and standards for research in Social Sciences today

ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT

PRINCIPLES FOR EVALUATION OF DEVELOPMENT ASSISTANCE

Preventing fraud and corruption in public procurement

MSD Information Technology Global Innovation Center. Digitization and Health Information Transparency

COCIR contribution to the public consultation on Personal Data Protection in the EU 1

BCS, The Chartered Institute for IT Consultation Response to:

The European Commission s strategy on Corporate Social Responsibility (CSR) : achievements, shortcomings and future challenges

How To Respond To The Nti'S Request For Comment On Big Data And Privacy

QUESTIONS AND ANSWERS HEALTHCARE IDENTIFIERS BILL 2010

2. ABOUT THE HUMAN GENETICS COMMISSION (HGC) 4. WHAT ARE THE CURRENT LAWS/LEGISLATION AROUND GENETIC TESTING?

Risk Management Policy

OECD Council Recommendation on Principles for Internet Policy Making. 13 December 2011

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Response of the German Medical Association

Health Care Systems: Efficiency and Policy Settings

Privacy and Data Protection

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

How To Ensure Health Information Is Protected

December 23, Dr. David Blumenthal National Coordinator for Health Information Technology Department of Health and Human Services

Policy Brief: Protecting Privacy in Cloud-Based Genomic Research

Sincerely yours, Kathryn Hurford Associate Director, Policy

Submission in Response to the Personally Controlled Electronic Health Record System: Legislation Issues Paper

The purpose of this document is to provide a framework for ConnectGroups in dealing with privacy considerations.

Re: Request for Comment: Big Data and Consumer Privacy in the Internet Economy

Protecting betting integrity

Registered Nurse professional practice in Queensland

Higher education institutions as places to integrate individual lifelong learning strategies

The EFPIA Disclosure Code: Your Questions Answered

Renewing Finland through skills. Forum Criteriorum Helsinki 29 September 2015 State Secretary Olli-Pekka Heinonen

International comparisons of obesity prevalence

Big Data for Mutuals. Marc Dautlich 25 November 2013

Behaviour Analysis & Certification in Europe: Developments & Opportunities

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Behaviour Analysis & Certification in Europe: Developments & Opportunities

Data Governance in-brief

DAC Guidelines and Reference Series. Quality Standards for Development Evaluation

Waiting times and other barriers to health care access

Risk Management Policy and Framework

The Future Use of Electronic Health Records for reshaped health statistics: opportunities and challenges in the Australian context

EFPIA position on Clinical Trials Regulation trialogue

Finland must take a leap towards new innovations

FINLAND ON A ROAD TOWARDS A MODERN LEGAL BIOBANKING INFRASTRUCTURE

Response of the German Medical Association

Submission by the Irish Pharmacy Union to the Department of Health on the Scope for Private Health Insurance to incorporate Additional Primary Care

PNAE Paediatric Nursing Associations of Europe

Global Alliance for Genomics & Health Data Sharing Lexicon

EU DIRECTIVE ON GOOD CLINICAL PRACTICE IN CLINICAL TRIALS DH & MHRA BRIEFING NOTE

National Health Research Policy

(OECD, 2012) Equity and Quality in Education: Supporting Disadvantaged Students and Schools

Advanced Nursing Practice - What Does it Contribute to Health Care and Who Benefits?

What you should know about Data Quality. A guide for health and social care staff

(OECD, 2012) Equity and Quality in Education: Supporting Disadvantaged Students and Schools

The Health Information Act. Use and Disclosure of Health Information for Research

Estate Planning and Patients' Rights in Cross-Border Healthcare

OECD THEMATIC FOLLOW-UP REVIEW OF POLICIES TO IMPROVE LABOUR MARKET PROSPECTS FOR OLDER WORKERS. SWITZERLAND (situation mid-2012)

The National Occupational Standards. Social Work. Topss UK Partnership

National Integrated Services Framework The Foundation for Future e-health Connectivity. Peter Connolly HSE May 2013

Expenditure on Health Care in the UK: A Review of the Issues

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY,

HSE Transformation Programme. to enable people live healthier and more fulfilled lives. Easy Access-public confidence- staff pride

PRINCIPLES FOR ACCESSING AND USING PUBLICLY-FUNDED DATA FOR HEALTH RESEARCH

Code of Practice for Social Service Workers. and. Code of Practice for Employers of Social Service Workers

Information Communication Technology

NMC Standards of Competence required by all Nurses to work in the UK

Swedish RWE a goldmine?

Social health insurance in Belgium. Charlotte Wilgos & Thomas Rousseau

Hong Kong s Health Spending 1989 to 2033

Statement of ethical principles for biotechnology in Victoria

Alberta Health. Primary Health Care Evaluation Framework. Primary Health Care Branch. November 2013

THE ORGANISATION AND FINANCING OF HEALTH CARE SYSTEM IN LATVIA

Personal Assessment Form for RN(NP) Practice for the SRNA Continuing Competence Program (CCP)

Enterprise Risk Management Framework Strengthening our commitment to risk management

The Secrets of Telehealth: How to deploy services in routine care? Marc Lange

Hospital pharmacy technician role / service definition grid

Guidelines approved under Section 95A of the Privacy Act December 2001

National Standards for Mental Health Services

It is focused on prevention and health promotion, integrated care & active and independent living for older persons.

Transcription:

Health Data Governance: Privacy, Monitoring and Research - Policy Brief October 2015 www.oecd.org/health Highlights All countries can improve their health information systems and make better use of data for quality, safety and performance gains and to advance medical treatments and practices. Many countries are at the beginning of a complex journey to encourage the development and safe use of health data. Only with strong health data governance frameworks can governments safely enable data use to improve health care quality and performance. Eight key data governance mechanisms support strengthening national health information systems and enabling multi-country projects to improve the public s health. Managing the safe use of health data is a major concern across the OECD OECD countries are ageing and increasing shares of our populations are living longer with multiple chronic and disabling conditions. This health shift has important implications for how care is best organised and provided; where new treatment innovations can be expected; and future cost pressures. To address the burden of chronic conditions, medicine must focus on preventing their on-set and controlling their progression. At the same time, health systems must focus on improvements in care co-ordination and efficient care delivery and on finding new ways to make systems more productive and sustainable. The need to more actively manage health system outcomes will drive health systems toward greater use of clinical and administrative data to assess the comparative effectiveness of therapies and services. This data will also be needed to support redesigning and evaluating new models of health care service delivery and will contribute to the discovery and evaluation of new treatments. There has already been tremendous growth in the range of health data that is being collected, including clinical, administrative, genetic, behavioural and environmental data. At the same time, the potential to process and analyse these emerging streams and volumes of data big data and to link and integrate them is growing. However, in the absence of a national strategy to promote safe data use and without a strong health data governance framework, many countries will miss the opportunity to safely enable data use to improve health care quality and performance. While all countries are investing in health data infrastructure, there are significant crosscountry differences in data availability and use, with some countries standing out with significant progress and innovative practices enabling privacy-protective data use; and others falling behind with insufficient data and restrictions that limit access to and use of data, even by government itself. Health data should provide a picture of the care pathway, linking different datasets Essential to health care quality and performance assessment is the ability to track patients as they progress back and forth through the health care system from primary Health Data Governance: Privacy, Monitoring and Research @ OECD 2015 1

health care, to specialty care, hospital care, long-term care, home care and hospice care. This data should also provide information about underlying patient characteristics, illnesses, medications, therapies, tests and images, and deaths. This type of follow-up permits a comprehensive view of health care services provided and the health outcomes of those services; and it permits uncovering medical errors, adverse drug reactions, fraud, adherence to clinical guidelines, effective treatments, optimal care paths and optimal responders to treatment. Understanding pathways often requires linking datasets at the patient level, as current health data are usually collected in silos such as primary health care datasets, datasets of in-patient hospitalisations, long-term care datasets, disease registries, pharmaceutical datasets and death registries. As a result, datasets must have sufficient detail to enable valid and reliable dataset linkages. The capacity to construct accurate data to assess pathways, outcomes and costs is increasing rapidly as health care systems adopt and use information technologies. The use of data from electronic health records, in particular, has the potential to enable a quantum leap in health care quality and performance assessment because such records can become part of an electronic health record system that captures data about patient s health care pathways and outcomes. Few countries are linking data across the pathways of health care to regularly monitor health care quality and health system performance. Among 22 countries surveyed, the health information systems with the greatest data availability, maturity and use were found in Denmark, Finland, Iceland, Israel, Korea, New Zealand, Norway, Singapore, Sweden and the United Kingdom. Thirteen countries are regularly linking data from at least four key national datasets to follow health care pathways and assess outcomes. Key reasons for approving these linkages are to develop health care quality and system performance indicators; to measure care co-ordination and outcomes of care pathways; to measure compliance with national health care guidelines; to produce indicators of health care utilisation and costs; to measure disease prevalence; and to measure health and health care by socioeconomic status. At the same time, five countries reported very few or no regular data linkage projects with national datasets. Further, in most countries, key areas of health care including primary care, long-term care and prescription medicines are not being included in data linkages to regularly monitor quality and health system performance (Figure 1). Concerns about protecting patient privacy have limited sharing of personal health data Health data that can be linked to measure pathways and outcomes is often both personal and sensitive. It is personal because there is information that identifies individuals; and it is sensitive because it is about aspects of individual s health and health care treatments and services. Throughout the OECD, the legal framework for the protection of personal data recognises health data as sensitive data and therefore requires a high level of protection. To date, there is high variability across OECD countries in data availability and use. This is due to concerns and uncertainty about how best to protect patient s rights to privacy and to preserve the security of health data when data is shared, linked and analysed (OECD, 2013a). 2 Health Data Governance: Privacy, Monitoring and Research @ OECD 2015

To better understand how countries manage the use of personal data in health, an OECD survey has looked into different data accessibility factors that are directly linked to legislative frameworks and their interpretation in practice. These factors include whether or not identifiable national personal health data are ever shared among data custodians or government entities and whether personal health data, after de-identification, can be approved for access by applicants from different sectors of society and by foreign applicants. Overall, data sharing and accessibility is greatest in New Zealand, Sweden and the United Kingdom (Figure 2). Nine countries, however, do not permit the sharing of personal data among national dataset holders for all or most of the key national datasets. In many of these countries, this results in data linkages not taking place. Some countries, such as Canada and the United States, report lengthy processes to negotiate data sharing arrangements between state, regional or provincial authorities and national authorities. Further, even after data has been de-identified, two countries have no mechanism to permit academic researchers to analyse it; seven countries have no mechanism for applicants from the commercial sector to analyse it, even if their work has a public benefit; and five countries have no mechanism for applicants from a foreign country to analyse it, even if the project has public benefits nationally and internationally. Strengthening governance mechanisms around the safe use of personal health data so as to make possible use of data for improving research and quality of care is therefore an urgent priority. Assessing the risks and benefits of use of personal data in health Countries that develop a data governance framework that enables privacy-protective data use will not only have the information Health Data Governance: Privacy, Monitoring and Research @ OECD 2015 3

needed to promote health care quality and health system performance, but they will also become a more attractive centre for medical research and will have opportunities to build public-private partnerships. Decision making about potential statistical or research uses of personal health data should be taken after considering both societal risks from the data use and societal benefits from the data use (Figure 3). If both dimensions are not evaluated, then decision making is likely to be sub-optimal for society. Benefits that may arise from data uses include promoting individuals rights to health through improved therapies and higher quality and more efficient health care services; producing research and evidence that responds to societal values regarding health and well-being, safe and effective health care, scientific discovery and innovation, and efficient, accessible, affordable and co-ordinated health care services; and producing positive economic outcomes for health system actors, governments and the economy through efficiency gains, returns to discovery and innovation and savings in data collection costs. Risks that may arise from data uses include infringements upon individuals rights to privacy; decisions and processes that fail to respond to societal values regarding privacy and data sharing; exposures of individuals to lost privacy and other harms, such as discrimination, social stratification leading to class disparities; and decisions and processes that weaken societal trust in health care providers and governments. A data governance framework with mechanisms and best practices to protect health data privacy at all stages of data development and use is the best way forward to create an environment within which the benefits of safe data use can be realised. 4 Health Data Governance: Privacy, Monitoring and Research @ OECD 2015

Figure 3. Data use decisions should be taken by weighing societal benefits and risks within a data governance framework that maximises benefits and minimise risks Data governance framework is aligned to maximise benefits and minimise risks: 1. Health information system 2. Legal framework 3. Public communication 4. Certification or accreditation of processors 5. Project approval process 6. Data de- identification 7. Data security and management 8. Data governance review cycle Benefits and risks of proposed data uses are evaluated: Benefits: Rights to health, Societal values toward health, health care quality & efficiency, and scientific discovery & innovation, & Benefits to individuals Risks: Rights to privacy, Societal trust in government & institutions, Societal values toward privacy & sharing data, & Harms to individuals Informed decisions to process personal health data are taken Key elements of a good governance framework for personal health data Health Ministry leadership is necessary to ensure that delivering the data to manage this important sector is at the forefront of government policy and action. Optimal decision making about potential statistical and research uses of personal health data can only be achieved if there is an overarching data governance framework in the country that has been aligned to minimise societal risks and to maximise societal benefits from data uses. After examining the current situation in OECD countries, a multi-disciplinary body of experts identified eight data governance mechanisms to maximise benefits to patients and to societies from the use of health data and minimise risks to patients privacy, public trust and confidence in health care providers and governments (OECD, 2015). These mechanisms are designed to work together to support countries in developing data governance frameworks and engaging in legislative reforms, including those necessary as the result of the anticipated EU Data Protection Regulation. These mechanisms build forward from existing efforts, such as the OECD Privacy Framework (OECD, 2013b) and the European Data Protection Directive (95-46-EC), to begin to address an unmet need for an international consensus about effective practices in the protection of privacy in the use of personal health data, so that we may facilitate greater harmonisation of privacy-protective monitoring and research activities. The eight key data governance mechanisms that support privacy-protective data use are summarised here. Please see the full report for the complete description of each mechanism. 1. The health information system supports the monitoring and improvement of health care quality and system performance, as well as research innovations for better health care and outcomes. Such systems are accessible for statistics and research, subject to safeguards specified in the legislative framework. They are developed within a data governance framework that protects health information privacy and reflects societal values regarding rights to privacy and to health. They are developed by establishing information priorities, data collection requirements and data content standards through formal and open consultation with key stakeholders. Health Data Governance: Privacy, Monitoring and Research @ OECD 2015 5

2. The processing and the secondary use of data for public health, research and statistical purposes are permitted, subject to safeguards specified in the legislative framework for data protection. Such legislative frameworks reflect the basic principles for privacy protection outlined in the OECD Privacy Framework (OECD, 2013b). They cover all data sources and all data custodians and processors. They require a fair and transparent project approval process including an independent, multi-disciplinary project approval body. They permit the use of personal health data for public health, research and statistics in the public interest, subject to the approval process. 3. The public are consulted upon and informed about the collection and processing of personal health data. This includes regular, clear and transparent communication with the public about the collection and processing of personal health datasets including the benefits of the processing, the risks of the processing and the risk mitigations. 4. A certification/accreditation process for the processing of health data for research and statistics is implemented. This process limits processing of identifiable data and data linkages to certified/accredited data custodians and processors. It requires those certified or accredited to comply with norms for data governance. 5. The project approval process is fair and transparent and decision making is supported by an independent, multidisciplinary project review body. This process follows a criteria for project approval that considers both societal risks and societal benefits of proposed data uses, such as the risk-benefit evaluation tool included in this OECD report. 6. Best practices in data de-identification are applied to protect patient data privacy. This includes documenting data de-identification methods, involving a data privacy expert in the development or review of de-identification methods; and defining identifiers and deleting them or, where necessary, creating pseudonyms. 7. Best practices in data security and management are applied to reduce re-identification and breach risks. This includes controlling and monitoring physical and IT data security within data custodians and processors; limiting data transfers to secure channels; and offering alternatives to transferring data, such as providing data access within a research data centre or through a secure data portal. 8. Governance mechanisms are periodically reviewed at an international level to maximise societal benefits and minimise societal risks as new data sources and new technologies are introduced. Best practices in data governance require continual assessment and renewal. This is because the volume, velocity and variety of health data are growing rapidly and the technologies used to communicate, process and store data are evolving, including, for example, cloud computing services. This creates a dynamic environment where data re-identification and data security risks are evolving. Further, legal frameworks continue to be renewed to reflect societal values and to address the requirements of a changing health information landscape. On-going collaboration among stakeholders in the development and use of health data, including legal experts, regulators, statisticians, IT professionals, policy makers, researchers, providers and patients, is essential to developing balanced policy decisions that can 6 Health Data Governance: Privacy, Monitoring and Research @ OECD 2015

reach the goal of maximising societal benefits and minimising societal risks. International collaboration in this dynamic area is also essential. Sharing information about best practices and lessons learned in health data governance needs to circulate widely; and movement toward common best practices should be supported, so that multicountry statistical and research projects that benefit the public s health are feasible. More international collaboration is needed, in particular to: Support countries in developing the norms necessary for governments to certify or accredit health data processors. Develop guidance for the implementation of approval bodies for project requiring the use of personal health data. Ensure that there are sufficient agreed international standards for health data coding and interoperability. Support countries to evaluate which national legal frameworks for the protection of health information privacy provide adequate protections to facilitate multi-country statistical and research projects. Review current practices in patient consent and in waivers to consent to reach a common understanding about mechanisms that are privacy protective. Review developments in health data security risks and threats and mechanisms to address them. Explore mechanisms to engage the public in discussion about personal health data and its governance to ensure that there is good public awareness of health data, the benefits of its use, its protection, and the rights of data subjects. Health Data Governance: Privacy, Monitoring and Research @ OECD 2015 7

Examples of good data governance practices Ten countries have 70% or more of the national datasets necessary for understanding health care pathways and outcomes. Eight countries have independent research ethics review boards advise on decisions to process personal health data. Finland and Iceland publish approval decisions for individual data linkage projects on a website. Australia and United Kingdom (Scotland) have accreditation for health data processors that ensures high data protection standards are met. Nine countries provide a website where the process to follow to become approved to access to de-identified linked data is explained. The United States and the United Kingdom (England) consider the data security environment and the data use when deciding the degree of data de-identification required. Switzerland, the United States and the United Kingdom provide examples of engaging external experts to test data security. Secure, real-time, remote data access systems are available in Canada (Ontario), the United Kingdom (Scotland and Wales), Netherlands and the United States and are being developed in Denmark and Korea. Secure research data centres are in use in Canada, Japan, Singapore, the Netherlands and the United States. Fourteen countries require a signed obligation to legally bind data recipients to the rules to be followed to protect the data. A fine or criminal conviction can be imposed for deliberate misuse of data in Korea, Norway and the United Kingdom, and among statistical authorities in Canada and the United States. Contacts Jillian Oderkirk Email: Jillian.ODERKIRK@oecd.org Luke Slawomirski Email: luke.slawomirski@oecd.org Visit our website OECD Health: www.oecd.org/health Read the report at: http://oe.cd/18a Follow us Twitter:@OECD_Social YouTube: https://www.youtube.com/oecd References OECD (2015), Health Data Governance: Privacy, Monitoring and Research, OECD Publishing, Paris OECD (2013a), Strengthening Health Information Infrastructure for Health Care Quality Governance: Good Practices, New Opportunities and Data Privacy Protection Challenges, OECD Health Policy Studies, Paris. OECD (2013b), OECD Privacy Framework, Paris. 8 Health Data Governance: Privacy, Monitoring and Research @ OECD 2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information