Magazine article Risk Management

Data Privacy Checkup: 6 Strategies for Minimizing Risk When Sharing Health Information

Magazine article Risk Management

Data Privacy Checkup: 6 Strategies for Minimizing Risk When Sharing Health Information

Article excerpt

As health care organizations try to capitalize on big data, their risks are increasing exponentially. To address this issue, professionals trained in health data risk management must guide their organizations in monitoring emerging risks and establishing defensible health data-sharing practices.

While the technology, finance and retail industries have long relied on big data and analytics to generate additional revenue and reduce the cost of doing business, the health care industry lags behind in seizing these opportunities. As a result, health care organizations are just now beginning to unlock the potential of their rapidly growing data assets. Hospitals, health insurers, and drug and medical device companies are increasingly seeking opportunities to access and use health data for secondary purposes. These include supporting medical research, performing post-market drug surveillance, monitoring the quality of care, identifying and treating diseases in a more timely manner, and delivering better clinical outcomes.

The increased use and sharing of health data triggers significant risks, however, with regard to patient privacy, legal compliance, financial exposure and corporate reputation, for both internal and external secondary data-sharing activities. Leveraging protected health information (PHI) or personally identifiable information (PII) requires health care organizations to tread carefully. Safeguarding patient privacy is paramount and the repercussions from data exposure and breach can be costly in many ways, both to the organization and to the people whose privacy it is obligated to protect.

For privacy officers, risk professionals and an increasing number of executives, sharing data for secondary use is inherently an exercise in risk management. By effectively assessing the data's exposure to risk, proper measures can be taken to safeguard individual privacy. It is about striking the right balance. While maximum security could be achieved by simply not sharing the data with anyone, this would defeat the purpose and demands of secondary use. Maximum data quality can be reached by keeping the data elements intact, but this leaves sensitive, protected or confidential information exposed to unauthorized viewing, use, disclosure or theft.

A recent survey of privacy, IT and compliance professionals revealed that, as demand for data access and sharing increases, more than two out of three health care organizations lack complete confidence in their ability to share data safely with regard to protecting individual privacy. The survey--conducted by Privacy Analytics in collaboration with the Electronic Health Information Laboratory--indicated that, despite this lack of confidence, data-sharing activities continue to grow. Nearly two-thirds (62%) of respondents indicated that their organizations are currently releasing data for secondary purposes. More than half (56%) are planning to increase the volume of data they share in the next 12 months.

The goal, then, should be to find the appropriate way to ensure both privacy compliance and access to useful data.

The regulatory environment for health information is complex. Long-standing legislation like the Health Insurance Portability and Accountability Act (HIPA A) has been modified and updated by the HITECH Act and other changes, and recently the proposed 21st Century Cures Act has suggested provisions to further modify the rules around sharing patient data. With the addition of various national and international standards and guidelines, like those from the Health Information Trust Alliance (HITRUST), Institute of Medicine and the EU's Data Protection Directive 95/46/E, it can be challenging to determine if data-sharing practices meet regulatory compliance.

These recent changes have elevated the role of risk managers and privacy officers, who must now go further to help their organizations monitor emerging risks, navigate the regulatory landscape and manage risk to minimize financial and reputational costs. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.