Between doctors, hospitals, and online services, it’s no surprise that data fragmentation is a major issue in the healthcare industry. The health data of many patients are scattered across many provider systems, locations, and servers, making it difficult for patients to know who can access their data.
This presents an obvious obstacle to health scientists who need access to data to seek solutions for a pandemic like COVID-19 as it affects millions of humans across geographies. Even in normal times, limits on sharing and portability of health data between providers hamper the ability of doctors to determine the most effective treatment protocols based on past history.
At the same time, this data fragmentation also creates ongoing privacy and security issues, like pharmacies selling patient data to marketers, researchers pulling records for studies, and health data being targeted by hackers.
This precarious situation begs the question: Who should own a patient’s sensitive healthcare data?
The need to protect patient data
Healthcare organizations are aware of the need to protect patient data. According to one survey, ownership of data is the primary concern among health providers when it comes to the use of cloud computing and data storage. And it’s a justifiable concern, with health data being worth up to five times more than non-health data if stolen, and often showing up for sale on the nefarious “dark web.” There’s also great economic value in using patient data in research and statistical analysis.
Many of the issues surrounding data sharing and privacy come as the result of patients themselves not being in control of their own health data. While a model of complete patient data ownership might seem far off the horizon due to the current state of scattered and fragmented data, a patient ownership paradigm is taking shape in other places across the world.
Estonia is a frequently cited vanguard of data ownership, while Europe as a whole has modeled a progressive view of data privacy with its General Data Protection Regulation (GDPR) legislation. Under GDPR, collecting and processing health data is generally prohibited without explicit consent of the individual. GDPR also has defined strict parameters related to individual data ownership and portability.
Improving health data visibility
In addition to improved security, a model of strict patient health data ownership would also prove critical in solving many of the logistical and ethical problems the healthcare industry currently faces around collecting, analyzing, deploying, and protecting patients’ data in today’s digital age. This includes effectively pulling accurate data from various sources, and ethical concerns around gaining consent.
Eric Lefkofsky, CEO of healthcare data analysis startup Tempus, provides insights into the scale of the challenges surrounding the current data ownership model.
“I think even though patients should own their data, the bigger challenge we all have to tackle is the underlying infrastructure that allows us to move around this kind of rich clinical data seamlessly across providers, all of which is entirely today broken and siloed,” he says.
Better data analytics of individuals and populations
Predictive analytics and the use of machine learning algorithms are making their way into the healthcare field, with the potential to improve outcomes and reduce costs. But under the current fragmented system, myriad ethical and legal challenges remain before artificial intelligence (AI) systems can use machine learning to analyze the totality of a single individual patient’s health data, as well as data from large populations of patients — and both of these benefit providers trying to predict which treatments are likely to be most effective for particular types of patients, whether for new strains of coronavirus or any other disease. The challenge of individual patients being “lost in the shuffle” of aggregate data still remains, as big data trends don’t necessarily apply to each and every individual.
Predictive analytics systems accessing health data via the blockchain, for instance, would allow personal information to be accessed securely to allow better health data analysis without compromising privacy or security. The goals include improved diagnostics, enhanced patient experience, reduced health care cost per-capita, and a better understanding of how individual health profiles can inform and affect the development of future treatments for large populations.
The right regulatory framework to protect privacy
Under the U.S. Health Insurance Portability and Accountability Act (HIPAA), health data that is disconnected from a patient’s personal identifying information can be legally used without a patient’s consent. HIPAA allows any health data analysis system to automatically pull data from various sources to help doctors make better decisions, but personal information like the patient’s city and e-mail address can’t be legally included without consent.
HIPAA requires the removal of sensitive personal information from data being analyzed by various AI and machine learning systems, which is a net positive from a privacy and security standpoint. But a privacy concern is that with enough data, the people and systems using health data may be able to re-identify the person even with that personal information stripped out. Therefore, HIPAA alone doesn’t necessarily resolve the potential ethical quagmire that exists when it comes to AI and predictive systems that automatically aggregate and analyze data.
Microsoft’s GDPR Implementation and HIPAA Compliance report outlines key differences between the two regulations, and why policymakers may want to look towards the GDPR model as for increased patient ownership rights of their health data:
“The GDPR imposes more strict conditions on the processing of ‘sensitive’ categories of personal data, which include health, biometric and genetic data, but such categories also include other types of data unrelated to health, such as race, ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership.”
While health systems continue to have issues when it comes to using patient information in ways that directly lead to improved outcomes, protection of patients’ rights must remain a priority, as a greater focus on data collection and analysis will likely be a big part of the solution when it comes to preparing for future pandemics or other emergencies and predicting and improving outcomes.
“I think ultimately, the only solution is that people have to own their data,” says Eric Topol, founder and director of the Scripps Translational Science Institute. “We’re seeing other countries, like Estonia and Switzerland, adopting this ownership model. Where people can share parts of their data with physicians, medical research projects, and that sort of thing. Eventually, we’ll go there because [data ownership] will have to be considered a civil right.”
If structured similarly to GDPR, tomorrow’s patient-owned data would increase security and privacy by providing stricter controls on third-party access to health data without explicit consent.
“Medical records constitute special categories of personal data, as the processing can create significant risks to the data subject’s fundamental rights and freedoms,” explains Ian Deguara, director of technical affairs at Malta’s Office of Information and Data Protection Commissioner. “The GDPR provides for stronger rules on data protection, which effectively mean that data subjects will have more control over their personal data.”
In the future, a patient-owned data model could look more like an opt-in system, where people are made aware of what AI and other analytic systems are seeking to use their data and give clear consent when they decide the public good may merit it. The benefit would trickle down to physicians, doctors, hospitals and health scientists, enabling them to speed research in urgent situations, improve diagnoses, and deploy treatments that give individuals the opportunity to take control of their healthcare outcomes. Full circle.