Understanding the Risk with Data Sharing

The growing demand to share health data brings with it growing risks. The proliferation of PHI and subsequent requests for data is pushing the boundaries of compliance as organizations try to satisfy demand. One response has been to err on the side of caution and keep data locked away. However, for those who take the road less travelled – understanding the inherent risk with data sharing is essential.

Most organizations, unfortunately, still rely on rudimentary data management approaches, such as data sharing agreements and masking. These methods fall short of emerging standards that have universally recommended the need for risk-based de-identification when sharing data for secondary purposes. The small number of organizations embracing more advanced approaches to data management is indicative of the slow pace of change in the industry, particularly when it comes to information technology.

Without a staff that is fully knowledgeable of the tools and techniques to share data safely, organizations will continue to lack confidence in their ability to protect privacy when disclosing data. This should spur organizations to reduce their reliance on ad hoc practices and seek out education and expertise on better ways to responsibly share sensitive data.

What We Know

The results of the Privacy Analytics market survey show the gap between regulatory requirements and the industry’s preparation to meet them. These findings match a Deloitte Brief on privacy and security of protected health information as well. The HITECH Act introduced a requirement for periodic audits of covered entities and business associates to check compliance with HIPAA Privacy, Security and Breach Notification Rules. The importance of ongoing risk analysis will be a central feature of these audits. A pilot audit program conducted in 2013 showed that few healthcare organizations had appropriate controls in place and that the industry needed to significantly improve its security and privacy programs. With the permanent audit program about to come into existence, the clock has run out on organizations that have delayed the implementation of rigorous, risk-based privacy protocols and practices.

Those who are in charge of storing and managing PHI know that they must understand the risk with data sharing. The responses to our market survey echo struggles to prevent patient re-identification and meet regulatory compliance. Many organizations feel unprepared to responsibly store and share data for secondary purposes, and thus, are unable to advance analytics in their organization. Those organizations that have taken steps to improve their understanding of de-identification and follow emerging standards, like the Health Information Trust Alliance (HITRUST) and PhUSE guidelines, are in an advantageous position in the emerging field of healthcare analytics. They will benefit from the ability to broadly share data with smaller risk and confidently monetize their data.

How does your organization compare? We want to know! Our second State of Data Sharing survey is now online. In only five minutes, you can contribute to a better understanding of how healthcare manages health data. Take our survey here.

Free Webinar: De-Identification 101

Join Privacy Analytics for a high level introduction of de-identification and data masking.
Watch now

Free Download: De-Id 101

You have Successfully Subscribed!