- More than two-thirds of healthcare organizations aren’t sure whether they can safely share data and protect individual privacy, according to newly released survey findings. That troublesome uncertainty calls into question data integrity concerns in an environment in which data sharing is on the rise.
Privacy Analytics, a firm specializing in de-identification software, recently surveyed 271 individuals at healthcare organizations, primarily in the United States and Canada, about their data management practices. The Electronic Health Information Laboratory, a group that conducts research on the de-identification of health information, assisted on the project.
The survey report (available here) reveals that 62 percent of respondent organizations are currently releasing data for secondary purposes, such as data analysis, research, safety measurement, public health initiatives, payment, provider certification or marketing. Health records top the list of mostly commonly stored or shared data types (55 percent), followed by medical claims data (44 percent), trial data (36 percent), survey responses (33 percent), membership/ enrollment data (33 percent) and device data (23 percent).
More than half of respondents plan on increasing the volume of data they share in the next 12 months.
“The increasing demand on healthcare organizations to share data, both internally and externally, is pushing the boundaries of data privacy regulations,” said Khaled El Emam, CEO of Privacy Analytics, in a public statement. “When sharing data for secondary use, the key is to balance privacy compliance with data utility. While unlocking the value in health data is important, the last thing any organization wants is to put patient information at unnecessary risk.”
The survey report identifies more than 75 percent of respondent organizations using “one or more approaches than can result in unknown data privacy compliance and increased risk.”
Nearly half (48 percent) of respondents cite patient re-identification as a key challenge, with concern greatest among those already sharing data. Other challenges include low staff knowledge in regard to safely managing data (27 percent), low staff knowledge of data sharing practices and tools (25 percent), cost concerns (24 percent) and lack of organizational policies (23 percent).
“This survey shows that many organizations are facing challenges in sharing data for secondary purposes and, as a result, may be releasing data that have elevated re-identification risks, or data that has been stripped of its usefulness,” said El Emam. “As data sharing activities increase, these organizations need to better assess and manage privacy risk before sharing data in order to reduce their exposure to legal, financial and reputational damages that can result from a breach.”
The report notes that although there is no currently universal standard for the de-identification of protected health information (PHI), efforts to create a workable framework are underway. For example, in March, the Health Information Trust Alliance (HITRUST) released a de-identification framework for organizational use when creating, accessing, storing or exchanging PHI. As reported by HealthITSecurity.com, the HITRUST framework starts with use cases and defines multiple levels of anonymization. From there, HITRUST recommends specific use cases for each variant, such as end-to-end testing of automated clinical workflows and data mining for clinical research.