THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015 - 2016: CHANGE, CHALLENGES AND CHOICEAs demand for data sharing grows, healthcare organizations must move beyond data agreements and masking to achieve regulatory compliance

Healthcare organizations are experi-encing greater demand than ever to share data, both internally and exter-nally. Yet, despite the need for sophis-ticated methods, organizations are relying on rudimentary approaches to managing the privacy and security of their data, leaving them – and their patients – at risk. In order to begin addressing this gap, the industry must identify what challenges healthcare organizations face and what methods are used when sharing sensitive information.

The following summarizes the key findings from The State of Data

Sharing for Healthcare Analytics

2015-2016: Change, Challenges and

Choice. The survey was launched earlier this year by Privacy Analytics, in collaboration with the Electronic Health Information Laboratory, a group that conducts theoretical and applied research on the de-identifica-tion of health information. The survey assessed the state of data sharing in healthcare and the challenges in disclosing data for secondary use. Secondary use of health data applies to protected health information (PHI) that is used for reasons other than direct patient care, such as data anal-ysis, research, safety measurement, public health, payment, provider certi-fication or marketing.

Healthcare organizations lack matu-rity in how they currently utilize their

data1, but data analytics in healthcare is taking hold. Investments made through the HITECH Act and other programs accelerated the adoption of technology, transforming health-care in recent years. Vast amounts of data are now captured in electronic medical records, medical monitoring tools and information portals. One outcome has been a flood of requests for this sensitive information. From internal groups that want to monitor clinical quality to external organiza-tions that aim to integrate data from various systems, healthcare organiza-tions want to gain a comprehensive view of their patients and encourage innovation.

Moving beyond individual data silos to integrated data systems that support decision-making and innova-tive research holds great promise, but progress to implement this has been slow. While staff, from executives to front-line workers, see the potential of data analytics, most are unsure of how to reconcile the need for detailed and high-quality data with privacy regula-tions. Because many individuals lack familiarity with advanced methods of de-identifying data, they are releasing information that has been stripped of its usefulness or – even worse – sharing data in a way that puts them at an unacceptably high risk of a breach.

INTRODUCTION

1

2

THERE IS A LACK OF TOTAL CONFIDENCE IN THE ABILITY TO PROTECT PRIVACY.

More than two out of three respondents lack complete confidence in their organization’s ability to share data

without putting privacy at risk.

FINDINGS AT A GLANCE

THE DEMAND FOR DATA IS GROWING AS FAST AS THE AMOUNT OF DATA BEING COLLECTED.

More than half of the respondents plan to increase the volume of data stored or shared within 12 months and

two-thirds currently release data for secondary use.

MOST ORGANIZATIONS USE APPROACHES THAT CAN RESULT IN HIGH RISK DATASETS.

More than 75 percent of respondents said that their orga-nization uses one or more of the following: data-sharing

agreements, data masking or Safe Harbor.

HEALTHCARE ORGANIZATIONS ARE SLOWLY STARTING TO MONETIZE DATA ASSETS.

One in six says they share data with other organizations for profit.

INDIVIDUALS LACK FAMILIARITY WITH ADVANCED METHODS OF DE-IDENTIFYING DATA.

As a result, they release information that has been stripped of its usefulness or share data in a way that puts

them at an unacceptably high risk of a breach.

SURVEY PARTICIPANTS

3

RESPONDENTROLES

LEGAL 5%

OTHER 42%

IT 23%

COMPLIANCE 16%

PRIVACY 14%

“Other” includes individual cross-appointed to more than one role, as well as those involved in management, research, clinical roles, finance, and marketing.

RESPONDENT JOB ROLES

A total of 271 individuals completed the online survey between July and September 2015. The respondents held various levels of seniority in their organization, from the C-level (33%) to managers (40%) and employees (28%). Approximately one in three individuals surveyed is responsible for privacy and compliance in their organization. Another 23% work in the IT depart-ment. Others identified themselves

as researchers, clinicians, project managers, analysts and consultants. This diversity reflects the broad spec-trum of individuals involved in privacy decision-making.

Respondents were mainly located in the U.S. (75%) and Canada (18%), with a small number of individuals located in Europe (4%), Asia (3%) and other regions.

4

The State of Data Sharing for

Healthcare Analytics 2015-2016:

Change, Challenges and Choice market survey reveals that, while healthcare organizations are seeing a surge in the demand to share data for secondary use, data analytics in healthcare is still immature. As a result, organizations can expect to feel mounting pressure to bring their data storage and sharing practices in line with emerging industry standards. HITRUST, the Institute of Medicine, PhUSE and the Canadian Council of Academies have all put forward guidelines that recommend the use of risk-based de-identification when disclosing PHI for secondary uses.

The major findings of this survey reflect overall trends being seen in healthcare analytics. Results found here are consistent with those of surveys conducted by other reputable

groups with interests in data secu-rity and privacy. One finding from the 2015-2016 survey revealed that more than two out of three respondents lack complete confidence in their organization’s ability to responsibly share data for secondary uses without putting individual privacy at risk. This is almost identical to a recent ISACA survey that found only 29% of privacy professionals are very confident in their enterprise’s ability to ensure the privacy of its sensitive data.2

To gain insight into healthcare orga-nizations’ need to protect patient privacy, the challenges faced, and the approaches currently being used, the survey presented questions in three sections: Basics of data sharing, Current uses of data, and Challenges.

The main findings from each section are presented below.

KEY FINDINGS

BASICS OF DATA SHARING

Respondents see demand for their data coming from a variety of sources, both internal and external, and many already release data for secondary use. Internal uses of data include any data sharing within the organization that is not for providing care, such as quality assurance for products and fraud detection. While external data sharing occurs primarily with academic institu-tions for research and analysis, there is interest in greater sharing with other outside organizations, too. External uses of data include any use of data by an outside organization, such as for revenue or reporting purposes.

Nearly two-thirds (62%) of respon-dents indicated that their organization currently releases data for secondary use. A majority (56%) are also planning on increasing the volume of data they share in the next 12 months, regard-less of whether or not they already share data with others.

Respondents who expressed an interest in de-identification said that it is primarily due to increased demand to share data externally (45%) and the desire to make use of sensitive data

internally (41%). Other reasons include validation for compliance (26%), soft-ware testing (17%) and research (4%).

The majority of respondents who already share data, either within their organization only or with another firm externally, are interested in sharing data externally in the future with academic institutions and researchers (46%). A large portion of respondents is interested in sharing data externally in the future with pharmaceutical companies (27%) and device manufac-turers (14%).

Health records are the leading type of data being stored or shared (55%) by respondents, followed by medical claims data (44%), trial data (36%), membership enrollment (33%), survey responses (33%), and device data (23%).

In summary, demand for data is on the rise, including for organizations that only use data internally. It is important for organizations using data for any type of secondary purpose, including internal uses such as quality assur-ance, to protect it.

5

Medical claim data

Membership or enrollment data

Device data

Trial data

Survey responses

Health records

0 5 10 15 20 25 30 35 40 45 50 55 60

Percentage of respondents

Research

Compliance and validation

Sharing data externally

Using data internally

Software testing

0 5 10 15 20 25 30 35 40 45 50

Percentage of respondents

6

INTEREST IN USING DE-IDENTIFICATION

TYPES OF DATA BEING SHARED

Sharing for profit

Sharing for primary analysis

Sharing for secondary analysis

0 10 20 30 40 50 60 70 80

Percentage of respondents

CURRENT USES OF DATA

Survey respondents indicated that they anticipate the demand for data to grow in the foreseeable future, with a few already starting to monetize their data. Those who have started monetizing data are slightly more inclined to use Safe Harbor de-identifi-cation strategies, but most are relying on data sharing agreements and masking techniques only. While Safe Harbor substantially reduces the risk

of re-identification, it does not provide the same level of rigor as risk-based de-identification thereby putting organi-zations at an unnecessarily high risk of a data breach.

While data are often being used for secondary analysis such as research or fraud detection (60%), the largest use is for primary analysis, including quality assurance (72%). This finding is in line with a HealthLeaders Media survey conducted earlier this year showing the top analytic use of data is improving clinical quality.3

The move towards monetizing data assets will be propelled by changes to hospital reimbursements. The shift to pay-for-performance models means

Regardless of whether or not they currently share data, the majority of respondents foresee an increase in their data sharing practices within the next year.

7

CURRENT USES OF DATA

Masking

non i ation or i ntifi ation

Not sure/none

hir part i ntifi ation

Saf ar or i ntifi ation

Data sharing agreements

0 5 10 15 20 25 30 35 40 45 50

Percentage of respondents

that providers will likely see declining reimbursements in the near term. Health insurers will also feel the pinch, caught between health providers and their clients. As business fundamentals become more important, data analytics will give insights on ways to cut costs and improve efficiencies.4 But, expect these players to increasingly look to monetization of their data as a way to generate new revenues. The propor-tion of respondents that have begun monetizing their data assets (19%) is in line with research from Gartner that reported 30 percent of U.S. businesses will monetize their information assets by 2016.5

When it comes to data management

practices, two-thirds of respondents are managing the majority of their data sharing practices in-house. When asked to identify their current data manage-ment practices, more than 75 percent of respondents said that their organi-zation uses one or more approaches that could result in unknown data privacy compliance and risk, such as data-sharing agreements (50%) and data masking (31%). The use of Safe Harbor methodology is also on the rise (28%). Although Safe Harbor is recom-mended by regulators, it represents a minimum standard for de-identifica-tion that can leave data vulnerable to a breach. One in 13 respondents said their organization currently uses no data management practices.

8

DATA MANAGEMENT TECHNIQUES

to n r tan ri of r i ntifi ation

oo fit into rr nt infra tr t r

Granular high-quality data

rtif ing o p ian

oo i i p

0 1 2 3 4 5 6 7 8 9 10

Rated by importance(10 being the most important)

Cost

Low knowledge on sharing and software

No concerns

Lack of data use policy

Low knowledge on managing data

i ntifi ation on rn

0 5 10 15 20 25 30 35 40 45 50

Percentage of respondents

9

MOST IMPORTANT ELEMENTS OF A PRIVACY SOLUTION

CURRENT CONCERNS IN DATA SHARING

However, one in five respondents says that their organization has taken steps to reduce risk by using expert determination de-identification software or third-party de-identification. This type of de-identification represents the most stringent data protection available. These organizations are more likely to be handling health records (57%), medical claims data (51%) or trial data (51%), some of the most sensitive types of data being handled today. While this small subset of organi-zations that handle sensitive data understands the complexities around data sharing, many more are leaving themselves open to unnecessary levels of risk and noncompliance.

CHALLENGES

Healthcare organizations are slowly beginning to unlock their data for secondary uses. Faced with requests for sensitive information, they must balance the demand for high-quality, granular data with requirements for privacy compliance. Unfortunately, two out of three respondents lack complete confidence in their organization’s ability to share data without putting individual privacy at risk. The demand for data, combined with the magnitude of PHI being collected in electronic medical records, medical monitoring apps and other healthcare networks, makes this a cause for concern. Healthcare is a heavily regulated environment where failure to act with care not only puts patient privacy at risk but exposes the organization to legal, financial and reputational penalties if there is a breach.

Confidence in protecting privacy is correlated to an organization’s data management practices. Respondents

whose organizations use de-identifica-tion software or third-party de-identifi-cation services are more likely to have complete confidence in the ability to responsibly share data for secondary use.

Nearly half (48%) of the respondents cited preventing patient re-identifica-tion as a key challenge when storing and sharing data, with concern greatest among those who already share their data. Additional chal-lenges include low staff knowledge on managing data safely (26%), low staff knowledge of data sharing practices and tools (25%), cost concerns (24%),

10

Respondents whose organiza-tions use de-identification soft-ware or services are more likely to have complete confidence in the ability to responsibly share data for secondary use.

11

and lack of organizational policies (23%). Combined, low staff knowledge issues were identified as a challenge by fully half (51%) of the respondents. This is consistent with other surveys that found “overcoming insufficient skills in analytics” to be the top tactical challenge to performing analytics.6 Knowledge gaps are a major concern and more education and training on de-identification and best practices in data management are needed at many organizations.

When asked about privacy discussions within their own organizations and the benefits of data management solu-tions, reduced risk of privacy breaches and security were cited most often, followed closely by confidence in regulatory compliance. Subsequently, when asked about the importance of various privacy solutions, the most highly rated is the “Ability to certify that

data is compliant”. This was found to be “Very Important” by more than 41% of the respondents. The ability to main-tain the granularity of data was also frequently identified (by 32%) as “Very Important”. Thus, it would appear that healthcare organizations are seeking ways to responsibly share high-quality data while ensuring that they meet regulatory compliance.

In summary, respondents noted that their chief concern of protecting patients from re-identification is diffi-cult to solve given a lack of knowl-edge and a lack of policy to achieve compliance.

“De-identification [allows us] to provide growth for our corporate culture of compliance.” -Anonymous survey respondent

12

The growing demand to share health data brings with it growing risks. The proliferation of PHI and subsequent requests for data is pushing the boundaries of compliance as orga-nizations try to satisfy demand. The response has been to err on the side of caution and keep data locked away.

Unfortunately, most organizations still rely on rudimentary data manage-ment approaches, such as data sharing agreements and masking, that fail to fully comply with data protection laws and which fall far short of emerging standards that have universally recommended the need for risk-based de-identification when sharing data for secondary purposes. The number of organi-zations yet to embrace these more advanced approaches to data management is indicative of the slow pace of change in the industry, partic-ularly when it comes to information technology.

Without a staff that is fully knowl-edgeable of the tools and techniques to share data safely, organizations will continue to lack confidence in their ability to protect privacy when disclosing data. This should spur orga-nizations to reduce their reliance on ad hoc practices and seek out education and expertise on better ways to respon-sibly share sensitive data.

The results of the market survey are indicative of the gap between regula-tory requirements and the industry’s preparation to meet them, as was noted in a Deloitte Brief on privacy and security of protected health infor-mation.7 The HITECH Act introduced a requirement for periodic audits of

covered entities and business asso-ciates to check compliance with HIPAA Privacy, Security and Breach Notification Rules. The importance of ongoing risk analysis will be a central feature of these audits. A pilot audit program conducted in 2013 showed that few healthcare organi-zations had appropriate controls in place and that the industry needed to significantly improve its security and privacy programs. With the perma-nent audit program about to come into existence,8 the clock has run out on organizations that have delayed the implementation of rigorous, risk-based privacy protocols and practices.

Those who are in charge of storing and sharing PHI know that they must do so responsibly. The responses to this survey echo their struggles to prevent patient re-identification and meet regulatory compliance. Many organizations feel unprepared to responsibly store and share data for secondary purposes, and thus, are unable to advance analytics in their organization. Those organizations that have taken steps to improve their understanding of de-identification and follow emerging standards, like the Health Information Trust Alliance (HITRUST) and PhUSE guidelines, are in an advantageous position in the emerging field of healthcare analytics. They will benefit from the ability to broadly share data with small down-side risk and confidently monetize their data.

CONCLUSION

13

Privacy Analytics sent a survey invitation to approximately 8500 professionals in their database who have responsibilities around PHI. Recipients work in a variety of settings, including hospitals and other healthcare providers, at healthcare payers, pharmaceutical and device manufacturers, research organizations and public agencies. Responses were collected from 339 professionals over a nine-week period from July to September 2015. Of

those 271 individuals completed the survey, forming the dataset used in this report. The margin of error for the results is +/- 5.2%, at the edge of a 95-percent confidence interval.

In order to gather responses anony-mously, the online survey software SurveyMonkey was used. A link to the survey was sent to recipients via email and was also posted to the Privacy Analytics website. Four out of five people who initiated the survey accessed it via the link in their email.

METHODOLOGY

14

1 International Institute for Analytics and HIMSS Analytics. (2014, February 24). The State of Analytics Maturity for Healthcare Providers: The DELTATM Powered Analytics Assessment Benchmark Report. HIMSS Analytics. Retrieved from http://www.himssan-alytics.org/sites/default/files/DELTA%20Powered%20Suite%20FAQ_June2015_0.pdf

2 ISACA (2015). Keeping a Lock on Privacy: How Enterprises Are Managing Their Privacy Function. ISACA. Retrieved from http://www.isaca.org/Knowledge-Center/Research/Re-searchDeliverables/Pages/keeping-a-lock-on-privacy.aspx

3 HealthLeaders Media (2015, April). IT and the Analytics Advantage: Managing Data to Master Risk. HealthLeaders Media. Retrieved from http://healthleadersmedia.com/content/TEC-315376/Intelligence-Report-Slideshow-IT-and-the-Analytics-Advantagem-dashManaging-Data-to-Master-Risk

4 Prewitt, Edward (2012, June). HealthLeaders Media Breakthroughs: The Promise of Healthcare Analytics. HealthLeaders Media. Retrieved from http://healthleadersmedia.com/breakthroughs/281331/The-Promise-of-Healthcare-Analytics

5 Gartner (10 January, 2013). Gartner Predicts 30 Percent of Businesses Will Be Mone-tizing Their Information Assets Directly by 2016. Retrieved from http://www.gartner.com/newsroom/id/2299315

6 HealthLeaders Media (2015, April). IT and the Analytics Advantage: Managing Data to Master Risk. HealthLeaders Media. Retrieved from http://healthleadersmedia.com/content/TEC-315376/Intelligence-Report-Slideshow-IT-and-the-Analytics-Advantagem-dashManaging-Data-to-Master-Risk

7 Deloitte Center for Health Solutions. (2014). Issue Brief: Update: Privacy and Security of Protected Health Information Omnibus Final Rule and stakeholder considerations. Deloitte LLP. Retrieved from http://www2.deloitte.com/content/dam/Deloitte/us/Docu-ments/life-sciences-health-care/us-lshc-privacy-and-security.pdf

8 Dvorak, Katie (2015, September 3). OCR picks vendor for second phase of HIPAA audit program. FierceHealthIT. Retrieved from http://www.fiercehealthit.com/story/ocr-picks-vendor-second-phase-hipaa-audit-program/2015-09-03

REFERENCES

www.privacy-analytics.com