Survey Shows Risk Growing Along with Data Sharing
Demand for access to health data outpacing the ability to ensure patient privacy
Ottawa, ON, December 02, 2015 – As the demand for data sharing increases, more than two out of three healthcare organizations lack complete confidence in their ability to share data safely in order to protect individual privacy, according to a survey of privacy, IT and compliance professionals.
The survey—conducted by Privacy Analytics, Inc. in collaboration with the Electronic Health Information Laboratory, a group that conducts theoretical and applied research on the de-identification of health information—shows that despite the lack of confidence, data sharing activities continue to grow. Nearly two-thirds (62%) of respondents indicated that their organizations are currently releasing data for secondary purposes. More than half (56%) are planning on increasing the volume of data they share in the next 12 months, regardless of whether or not they already share data with others.
Secondary use of health data applies to protected health information (PHI) that is used for reasons other than direct patient care, such as data analysis, research, safety measurement, public health, payment, provider certification or marketing. Health records are the leading type of data being stored or shared (55%), followed by medical claims data (44%), trial data (36%), survey responses (33%), membership/enrollment (33%) and device data (23%).
“The increasing demand on healthcare organizations to share data, both internally and externally, is pushing the boundaries of data privacy regulations,” said Khaled El Emam, CEO, Privacy Analytics. “When sharing data for secondary use, the key is to balance privacy compliance with data utility. While unlocking the value in health data is important, the last thing any organization wants is to put patient information at unnecessary risk.”
When asked to identify current data management practices, more than 75 percent of respondents indicated that their organizations were using one or more approaches that can result in unknown data privacy compliance and increased risk, such as data-sharing agreements (50%), data masking (31%) and Safe Harbor methodology (28%). These approaches do not adhere to globally accepted data sharing guidelines, including those from Health Information Trust Alliance (HITRUST), the Institute of Medicine (IOM), and the Council of Canadian Academies. Although Safe Harbor is recommended by regulators, it represents a minimum standard for de-identification that can leave data vulnerable to a breach.
While there is currently no universal standard for the de-identification of protected health information (PHI), efforts to create a framework are underway. HITRUST recently released a de-identification framework, which organizations can use when creating, accessing, storing or exchanging personal information. This framework has incorporated and refined current best practices and regulations so that health organizations have access to essential information regarding information security.
Nearly half (48%) of respondents cited patient re-identification as a key challenge, with concern greatest among those already sharing data. Additional challenges include low staff knowledge on managing data safely (27%), low staff knowledge of data sharing practices and tools (25%), cost concerns (24%), and lack of organizational policies (23%). Respondents noted that their chief concern of protecting patients from re-identification is difficult to solve given a lack of knowledge and a lack of policy to achieve compliance.
“This survey shows that many organizations are facing challenges in sharing data for secondary purposes and, as a result, may be releasing data that still may have elevated re-identification risks, or data that has been stripped of its usefulness,” said El Emam. “As data sharing activities increase, these organizations need to better assess and manage privacy risk before sharing data in order to reduce their exposure to legal, financial and reputational damages that can result from a breach.”
Confidence in protecting privacy is correlated to an organization’s data management practices. Respondents whose organizations use de-identification software or third-party de-identification services are more likely to have complete confidence in their ability to responsibly share data for secondary use.
The majority of respondents who already share data, either within their organization only or with another firm externally, are interested in sharing data externally in the future with academic institutions and researchers (46%). A large portion of respondents is interested in sharing data externally in the future with pharmaceutical companies (27%) and device manufacturers (14%).
Responses to the survey came from individuals at various levels of seniority in their organization, from the C-level (33%) to managers (40%) and employees (28%). Approximately one in three individuals is responsible for privacy and compliance in their organization. Another 23% work in the IT department. Others identified themselves as researchers, clinicians, project managers, analysts and consultants. This diversity reflects the broad spectrum of individuals involved in privacy decision-making. Respondents were mainly located in the U.S. (75%) and Canada (18%), with a small number of individuals located in Europe (4%), Asia (3%) and other regions.
- Turn Data Assets into Business Opportunity Under CCPADecember 19, 2019
- How does risk-based anonymization work?December 18, 2019
- Why should I use Expert Determination over Safe Harbor?December 18, 2019
- What do I need to know about GDPR, HIPAA and CCPA to meet our regulatory and privacy obligations?December 18, 2019
- Should we invest in building our own de-identification capability?December 17, 2019
- GDPR and The Future of Clinical Trials Data SharingMarch 18, 2019
- Advancing Principled Data Practices in Support of Emerging TechnologiesMarch 15, 2019
- “Zero Risk Does Not Exist”February 7, 2019
- Is Anonymization Possible with Current Technologies?January 9, 2019
- Comparing the benefits of pseudonymisation and anonymisation under the GDPRDecember 20, 2018