In today’s world, data is power. Healthcare providers have massive amounts of rich health data at their fingertips. Yet historically, third-party vendors to healthcare providers often have derived financial benefits from secondary use of this data through aggregating and brokering de-identified data to downstream customers.
That is beginning to change as healthcare providers are taking back control of their data assets.
Truveta, Inc., a new startup led by 14 of the largest health systems in the U.S., has formed to pool together their vast and diverse data in order to take back control over how their patients’ de-identified data is shared and used. Truveta’s goal is to leverage patient data to improve patient care, address health inequity, accelerate the development of treatments and reduce the time to make a diagnosis.
The company will have access to de-identified data representing approximately 13% of patient records in the U.S. This amalgamation of data will result in more diversified data sets varying by diagnosis, geography and demographics. The process can significantly expand the opportunities for that data's secondary analytics uses.
The success of such a massive undertaking with so many stakeholders requires good data stewardship central to the endeavor. As healthcare providers begin to leverage their data to derive knowledge and ultimately gain wisdom about how better to care for their patients, they will bear a greater responsibility to ensure the privacy and security of the health data their patients trust them to safeguard.
Failure to afford the appropriate safeguards in terms of how data is collected, aggregated, de-identified, shared and ultimately utilized could result in the demise of this sort of big data collaboration.
Good data stewardship must address legal, regulatory, contractual and ethical standards. From a strictly legal and regulatory perspective, healthcare providers seeking to pool and share de-identified health data will need to consider the applicable federal and international laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Common Rule, the EU General Data Protection Regulation (GDPR), Food and Drug Administration regulations, and Federal Trade Commission regulation.
In addition, several states have established their own data privacy and protection laws and regulations, such as the California Consumer Privacy Act and the Illinois Biometric Information Privacy Act, which notably does not include an exemption for covered entities.
Although compliance with these laws and regulations can mean that an entity has met its legal obligations, laws such as HIPAA have not necessarily kept up with technological advances in the past decades. As regulators continue work to update the laws, the industry can take additional steps to ensure adequate safeguards are in place.
Healthcare providers can structure contractual obligations with companies to whom they share their data to mitigate risk and limit downstream uses. Through carefully crafted master services agreements, data use agreements, business associate agreements, data sharing agreements and terms of use, entities can balance the desire to provide access to their data while still maintaining a sense of control.
Entities should consider the following while drafting such agreements:
- The regulatory mechanisms by which identifiable data may permissibly be shared with third parties.
- Whether to sell or license the data.
- Limitations on the recipient’s rights to resell, sublicense or otherwise share the data.
- Audit rights and mechanisms to ensure the data is being used as intended.
- Risk allocation.
- Prohibition on data-linking and re-identifying data.
- Location of data hosting.
- Data security requirements.
Yet, while contracts can help entities manage legal, regulatory and financial risk, they may not be sufficient to mitigate risks associated with reputation.
Finally, and perhaps most importantly, healthcare entities should establish ethical guidelines to ensure proper data stewardship based on defined objectives. Poor ethical decision-making when sharing and using sensitive patient data can lead to unsavory optics and public relations nightmares.
To manage these risks, it is important to develop ethical frameworks by which to operate big data projects.
For example, Truveta has established an ethics policy that sets forth its values and principles. It will maintain an Ethics Committee to uphold the policy and guide its operations.
In formulating ethical guidelines, entities should assess the types of third parties with whom they choose to share data and for what purposes. According to Truveta’s Ethics Policy, the company will only partner with organizations that share its mission, and will not partner with organizations that are solely focused on marketing to patients or physicians.
One way to control who receives the data would be to implement a formalized process through which prospective partners submit a proposal outlining how they intend to use the de-identified data and the methods they will utilize to appropriately safeguard the data.
Such proposals would go through a rigorous vetting process to ensure the partner’s use is in line with the entities' overarching mission and goals. In addition, entities should strongly consider how to partner with patients in this endeavor.
Such engagement should focus on transparency and patient empowerment, and may involve developing a communications plan, educational tools, and opt-in and/or opt-out procedures.
Patients divulge their most intimate secrets to their healthcare providers because they trust their providers and expect that their privacy will be safeguarded. As data flows into third-party hands to power big data endeavors, preserving privacy must remain paramount no matter where in the chain of custody patient data may land.
Truveta is paving the way for healthcare providers to be in the driver’s seat when they're harnessing the power of health data. As Truveta aspires to “Save Lives with Data,” it will be imperative that the company, and other similar ventures, develop thoughtful, values-driven strategies to protect the data they amass and preserve the trust of the patients they serve.
About the authors:
Nivedita B. Patel is senior counsel in Epstein Becker Green's Washington office. Patel is an advisor to clients, and offers legal counsel and strategic business advice on state and federal healthcare fraud, abuse laws, solutions to complex transactional issues and all facets of health-regulatory due diligence.
Alaap B. Shah is a member of Epstein Becker Green’s Health Care and Life Sciences practice in the firm's Washington office. His work focuses on defense and counseling of healthcare entities on legal and regulatory compliance issues around privacy, cybersecurity and data asset management. He has experience with legal issues related to health information technology, big data analytics and digital health strategies.