From risk management to precision medicine, data science is taking on a greater role in the healthcare industry.
But even as interest grows, some hospitals balk at the challenges privacy and compliance regulations impose on patient data. For example, in a Society of Actuaries survey released in June, 93 percent of healthcare provider and payer executives agreed predictive analytics are important to the future of their business, but cited budgetary and regulatory issues as top challenges to implementing the processes.
"Long gone are the days of walking into a doctor's office and seeing the wall at the back with all the paper charts," says Thora Johnson, a healthcare attorney at the Washington, D.C.-based law firm Venable. "The push to incentivize providers to adopt EMRs has made medical data much more accessible, on a large scale, than ever before — and now you see the ability to mine that data and gain insight from that data."
Ms. Johnson, who co-chairs Venable's healthcare initiative in Baltimore, and James Nelson, a corporate IT attorney and partner-in-charge of Venable's San Francisco office, spoke with Becker's Hospital Review about the regulatory challenges hospital leaders should consider when working with patient data.
Here are six key thoughts they shared.
Editor's note: Responses have been lightly edited for length and clarity.
How analytics are changing the healthcare industry
James Nelson: "The confluence of the volume of data that's being collected with the sophistication of computing powers is driving change in healthcare. We're watching its adoption in two particular areas. One is on the payment side of things, with recovery audits, financial analytics and the overall delivery of services. The second is the personalized medicine, the individualized treatments and the analytics associated with the actual care being delivered and the diagnoses being made. So much of the data monetization activities that are going on began with an efficiency drive, with consistency, reduced errors and other benefits that come from analytics. I'm out in San Francisco, with a lot of the startups that are working with this information, and I get that statisticians are the new, 'cool' engineers, so to speak."
On a hospital's first step to data mining
Thora Johnson: "Safeguard that data. You need to make sure that patient data is kept secure and that you consider what actual rights you have to use and disclose that data. You need to make sure you have taken all the necessary precautions as best you can to safeguard that information within the regulatory framework in which you are working. Healthcare is a very regulated industry. You've got HIPAA, which has safeguards and limits the uses and disclosures of identifiable health information. Then you have state law, and some states have more robust infrastructure than others. And there's always the Federal Trade Commission in the background, dealing with consumers. Do consumers have adequate knowledge as to how their medical data may or may not be used at your hospital?"
On who gets to use patient data (and how)
TJ: "When it comes to individuals' medical data and having that in the hands of providers and their vendors, you have to think about who has the right to use that data and to gain insights from that data. There's always this question of: Whose data is it? And it's not the ownership, as much as who has the right to do what with the data. Can it be combined? Can you de-identify it? Can you disclose those insights? You have service providers who have access to medical records from different healthcare providers in the hospital. Do they have the right to take the medical records from one institution and combine it with medical records from another, to really enrich their insights?"
Don't treat all healthcare data the same
JN: "Know what you've got. Then you're in a position to have a much more informed and effective conversation with providers and attorneys. We're getting collectively more sophisticated as to how data and information shouldn't all be treated the same. Let me turn to Thora to ask about protected health information, versus let me turn to someone else to look at confidential information that may have a business value. If you've done your homework to triage and segment data, you'll have the clarity as to what it is, so we can all move forward with a better grasp of what we're dealing with and how we're going to be protective for everyone. It's like a proverbial 'I have a haystack, but I'm not sure whether it's got needles in it or not.' You have to be clear on what you've got, and then you can have more nuanced conversations."
Today, not all healthcare data is falls under HIPAA
TJ: "Not all of the health information that's out there today is actually subject to HIPAA, because HIPAA only really applies to healthcare providers that bill electronically for their services, the health plans, their healthcare clearinghouses — which make up a small portion of the covered entities out there — and then their service providers. There's a lot of health information out there today that really isn't subject to HIPAA. There are all these wearables. You have individuals who went to Target and got their Fitbit, or whatever tracker they might have. But just because the tracker's data isn't subject to the HIPAA privacy law doesn't mean it's a free-for-all. Those working with data then have to consider the state law, which could have a broader impact than just HIPAA itself in application."
Why "disrupting" healthcare takes so long
JN: "When you're sharing data with outside partners, you've got those who come from the healthcare side of the house who are quite familiar with the fact it's a heavily regulated industry. Then, you also have those who may be coming at it from a service provider standpoint, or who might even have outside offerings they're adapting into the healthcare space, where these regulations are new and novel. From the provider perspective, when you're sharing data, it's a matter of reference checking, having an understanding of who a potential partner is and having a familiarity with what they do, as well as what your expectations are going to be, and so forth."