1. PRIVACY
ANALYTICSNothing personal.
THE STATE OF DATA
SHARING FOR
HEALTHCARE ANALYTICS
2015 - 2016:
CHANGE, CHALLENGES AND CHOICE
As demand for data sharing grows, healthcare organizations must move
beyond data agreements and masking to achieve regulatory compliance
2. Healthcare organizations are experi-
encing greater demand than ever to
share data, both internally and exter-
nally. Yet, despite the need for sophis-
ticated methods, organizations are
relying on rudimentary approaches to
managing the privacy and security of
their data, leaving them – and their
patients – at risk. In order to begin
addressing this gap, the industry must
identify what challenges healthcare
organizations face and what methods
are used when sharing sensitive
information.
The following summarizes the key
findings from The State of Data
Sharing for Healthcare Analytics
2015-2016: Change, Challenges and
Choice. The survey was launched
earlier this year by Privacy Analytics,
in collaboration with the Electronic
Health Information Laboratory, a
group that conducts theoretical and
applied research on the de-identifica-
tion of health information. The survey
assessed the state of data sharing
in healthcare and the challenges in
disclosing data for secondary use.
Secondary use of health data applies
to protected health information (PHI)
that is used for reasons other than
direct patient care, such as data anal-
ysis, research, safety measurement,
public health, payment, provider certi-
fication or marketing.
Healthcare organizations lack matu-
rity in how they currently utilize their
data1, but data analytics in healthcare
is taking hold. Investments made
through the HITECH Act and other
programs accelerated the adoption
of technology, transforming health-
care in recent years. Vast amounts of
data are now captured in electronic
medical records, medical monitoring
tools and information portals. One
outcome has been a flood of requests
for this sensitive information, from
internal groups that want to monitor
clinical quality, external organiza-
tions that aim to integrate data from
various systems to gain a comprehen-
sive view of patients and uncover new
treatments.
Moving beyond individual data silos
to integrated data systems that
support decision-making and innova-
tive research holds great promise, but
progress to implement this has been
slow. While staff, from executives to
front-line workers, see the potential of
data analytics, most are unsure of how
to reconcile the need for detailed and
high-quality data with privacy regula-
tions. Because many individuals lack
familiarity with advanced methods of
de-identifying data, they are releasing
information that has been stripped
of its usefulness or – even worse –
sharing data in a way that puts them at
an unacceptably high risk of a breach.
INTRODUCTION
1
3. 2
THERE IS A LACK OF TOTAL CONFIDENCE IN THE
ABILITY TO PROTECT PRIVACY.
More than two out of three lack complete confidence in
their organization’s ability to share data without putting
privacy at risk.
FINDINGS AT A GLANCE
THE DEMAND FOR DATA IS GROWING AS FAST AS THE
AMOUNT OF DATA BEING COLLECTED.
More than half of the respondents plan to increase the
volume of data stored or shared within 12 months and
two-thirds currently release data for secondary use.
MOST ORGANIZATIONS USE APPROACHES THAT CAN
RESULT IN HIGH RISK DATASETS.
More than 75 percent of respondents said that their orga-
nization uses one or more of the following: data-sharing
agreements, data masking or Safe Harbor.
HEALTHCARE ORGANIZATIONS ARE SLOWLY STARTING
TO MONETIZE DATA ASSETS.
One in six says they share data with other organizations
for profit.
INDIVIDUALS LACK FAMILIARITY WITH ADVANCED
METHODS OF DE-IDENTIFYING DATA.
As a result, they release information that has been
stripped of its usefulness or share data in a way that puts
them at an unacceptably high risk of a breach.
4. SURVEY PARTICIPANTS
3
RESPONDENT
ROLES
LEGAL 5%
OTHER 42%
IT 23%
COMPLIANCE 16%
PRIVACY 14%
“Other” includes individual cross-appointed to more than one role, as well as those
involved in management, research, clinical roles, finance, and marketing.
RESPONDENT JOB ROLES
A total of 271 individuals completed
the online survey between July and
September 2015. The respondents
held various levels of seniority in their
organization, from the C-level (33%) to
managers (40%) and employees (28%).
Approximately one in three individuals
surveyed is responsible for privacy
and compliance in their organization.
Another 23% work in the IT depart-
ment. Others identified themselves
as researchers, clinicians, project
managers, analysts and consultants.
This diversity reflects the broad spec-
trum of individuals involved in privacy
decision-making.
Respondents were mainly located in
the U.S. (75%) and Canada (18%), with
a small number of individuals located
in Europe (4%), Asia (3%) and other
regions.
5. 4
The State of Data Sharing for
Healthcare Analytics 2015-2016:
Change, Challenges and Choice market
survey reveals that, while healthcare
organizations are seeing a surge in the
demand to share data for secondary
use, data analytics in healthcare is still
immature. As a result, organizations
can expect to feel mounting pressure
to bring their data storage and sharing
practices in line with emerging industry
standards. HITRUST, the Institute of
Medicine, PhUSE and the Canadian
Council of Academies have all put
forward guidelines that recommend
the use of risk-based de-identification
when disclosing PHI for secondary
uses.
The major findings of this survey
reflect overall trends being seen in
healthcare analytics. Results found
here are consistent with those of
surveys conducted by other reputable
groups with interests in data secu-
rity and privacy. One finding from the
2015-2016 survey revealed that more
than two out of three respondents
lack complete confidence in their
organization’s ability to responsibly
share data for secondary uses without
putting individual privacy at risk. This
is almost identical to a recent ISACA
survey that found only 29% of privacy
professionals are very confident in their
enterprise’s ability to ensure the privacy
of its sensitive data.2
To gain insight into healthcare orga-
nizations’ need to protect patient
privacy, the challenges faced, and the
approaches currently being used, the
survey presented questions in three
sections: Basics of data sharing,
Current uses of data, and Challenges.
The main findings from each section
are presented below.
KEY FINDINGS
6. BASICS OF DATA SHARING
Respondents see demand for their
data coming from a variety of sources,
both internal and external, and many
already release data for secondary use.
Internal uses of data include any data
sharing within the organization that is
not for providing care, such as quality
assurance for products and fraud
detection. External uses of data include
any use of data by an outside organi-
zation, such as for revenue or reporting
purposes. While external data sharing
occurs primarily with academic institu-
tions for research and analysis, there
is interest in greater sharing with other
outside organizations, too.
Nearly two-thirds (62%) of respon-
dents indicated that their organization
currently releases data for secondary
use. A majority (56%) are also planning
on increasing the volume of data they
share in the next 12 months, regard-
less of whether or not they already
share data with others.
Respondents who expressed an
interest in de-identification said that it
is primarily due to increased demand
to share data externally (45%) and the
desire to make use of sensitive data
internally (41%). Other reasons include
validation for compliance (26%), soft-
ware testing (17%) and research (4%).
The majority of respondents who
already share data, either within their
organization only or with another firm
externally, are interested in sharing
data externally in the future with
academic institutions and researchers
(46%). A large portion of respondents
is interested in sharing data externally
in the future with pharmaceutical
companies (27%) and device manufac-
turers (14%).
Health records are the leading type
of data being stored or shared (55%)
by respondents, followed by medical
claims data (44%), trial data (36%),
membership enrollment (33%), survey
responses (33%), and device data
(23%).
In summary, demand for data is on the
rise, including for organizations that
only use data internally. It is important
for organizations using data for any
type of secondary purpose, including
internal uses such as quality assur-
ance, to protect it.
5
7. Medical claim data
Membership or enrollment data
Device data
Trial data
Survey responses
Health records
0 5 10 15 20 25 30 35 40 45 50 55 60
Percentage of respondents
Research
Compliance and validation
Sharing data externally
Using data internally
Software testing
0 5 10 15 20 25 30 35 40 45 50
Percentage of respondents
6
INTEREST IN USING DE-IDENTIFICATION
TYPES OF DATA BEING SHARED
8. Sharing for profit
Sharing for primary analysis
Sharing for secondary analysis
0 10 20 30 40 50 60 70 80
Percentage of respondents
CURRENT USES OF DATA
Survey respondents indicated that
they anticipate the demand for data
to grow in the foreseeable future, with
a few already starting to monetize
their data. Those who have started
monetizing data are slightly more
inclined to use Safe Harbor de-identifi-
cation strategies, but most are relying
on data sharing agreements and
masking techniques only. While Safe
Harbor substantially reduces the risk
of re-identification, it does not provide
the same level of rigor as risk-based
de-identification, putting organizations
at an unnecessarily high risk of a data
breach.
While data are often being used for
secondary analysis such as research
or fraud detection (60%), the largest
use is for primary analysis, including
quality assurance (72%). This finding
is in line with a HealthLeaders Media
survey conducted earlier this year
showing the top analytic use of data to
be improving clinical quality.3
The move towards monetizing data
assets will be propelled by changes to
hospital reimbursements. The shift to
pay-for-performance models means
Regardless of whether or not they
currently share data, the majority
of respondents foresee an
increase in their data sharing
practices within the next year.
7
CURRENT USES OF DATA
9. Masking
non i ation or i ntifi ation
Not sure/none
hir part i ntifi ation
Saf ar or i ntifi ation
Data sharing agreements
0 5 10 15 20 25 30 35 40 45 50
Percentage of respondents
that providers will likely see declining
reimbursements in the near term.
Health insurers will also feel the pinch,
caught between health providers and
their clients. As business fundamentals
become more important, data analytics
will give insights on ways to cut costs
and improve efficiencies.4 But, expect
these players to increasingly look to
monetization of their data as a way to
generate new revenues. The propor-
tion of respondents that have begun
monetizing their data assets (19%) is
in line with research from Gartner that
reported 30 percent of U.S. businesses
will monetize their information assets
by 2016.5
When it comes to data management
practices, two-thirds of respondents
are managing the majority of their data
sharing practices in-house. When asked
to identify their current data manage-
ment practices, more than 75 percent
of respondents said that their organiza-
tion uses one or more approaches that
could result in unknown data privacy
compliance and risk, such as data-
sharing agreements (50%) and data
masking (31%). The use of Safe Harbor
methodology is also on the rise (28%).
Although Safe Harbor is recommended
by regulators, it represents a minimum
standard for de-identification that can
leave data vulnerable to a breach. One
in 13 respondents said their organiza-
tion currently uses no data manage-
ment practices.
8
DATA MANAGEMENT TECHNIQUES
10. to n r tan ri of r i ntifi ation
oo fit into rr nt infra tr t r
Granular high-quality data
rtif ing o p ian
oo i i p
0 1 2 3 4 5 6 7 8 9 10
Rated by importance
(10 being the most important)
Cost
Low knowledge on sharing and software
No concerns
Lack of data use policy
Low knowledge on managing data
i ntifi ation on rn
0 5 10 15 20 25 30 35 40 45 50
Percentage of respondents
9
MOST IMPORTANT ELEMENTS OF A PRIVACY SOLUTION
CURRENT CONCERNS IN DATA SHARING
However, one in five respondents says that their organization has taken steps to
reduce risk by using expert determination de-identification software or third-party
de-identification. This type of de-identification represents the most stringent data
protection available. These organizations are more likely to be handling health
records (57%), medical claims data (51%) or trial data (51%), some of the most
sensitive types of data being handled today. While this small subset of organi-
zations that handle sensitive data understands the complexities around data
sharing, many more are leaving themselves open to unnecessary levels of risk
and noncompliance.
11. CHALLENGES
Healthcare organizations are slowly
beginning to unlock their data for
secondary uses. Faced with requests
for sensitive information, they must
balance the demand for high-quality,
granular data with requirements for
privacy compliance. Unfortunately, two
out of three respondents lack complete
confidence in their organization’s ability
to share data without putting individual
privacy at risk. The demand for data,
combined with the magnitude of PHI
being collected in electronic medical
records, medical monitoring apps and
other healthcare networks, makes this
a cause for concern. Healthcare is a
heavily-regulated environment where
failure to act with care not only puts
patient privacy at risk but exposes
the organization to legal, financial
and reputational penalties if there is a
breach.
Confidence in protecting privacy is
correlated to an organization’s data
management practices. Respondents
whose organizations use de-identifica-
tion software or third-party de-identifi-
cation services are more likely to have
complete confidence in the ability to
responsibly share data for secondary
use.
Nearly half (48%) of the respondents
cited preventing patient re-identifica-
tion as a key challenge when storing
and sharing data, with concern
greatest among those who already
share their data. Additional chal-
lenges include low staff knowledge on
managing data safely (26%), low staff
knowledge of data sharing practices
and tools (25%), cost concerns (24%),
10
Respondents whose organiza-
tions use de-identification soft-
ware or services are more likely
to have complete confidence in
the ability to responsibly share
data for secondary use.
12. 11
and lack of organizational policies
(23%). Combined, low staff knowledge
issues were identified as a challenge
by fully half (51%) of the respondents.
This is consistent with other surveys
that found “overcoming insufficient
skills in analytics” to be the top tactical
challenge to performing analytics.6
Knowledge gaps are a major concern
and more education and training on
de-identification and best practices in
data management are needed at many
organizations.
When asked about privacy discussions
within their own organizations and the
benefits of data management solu-
tions, reduced risk of privacy breaches
and security were cited most often,
followed closely by confidence in
regulatory compliance. Subsequently,
when asked about the importance of
various privacy solutions, the most
highly rated is the “Ability to certify that
data is compliant”. This was found to
be “Very Important” by more than 41%
of the respondents. The ability to main-
tain the granularity of data was also
frequently identified (by 32%) as “Very
Important”. Thus, it would appear that
healthcare organizations are seeking
ways to responsibly share high-quality
data while ensuring that they meet
regulatory compliance.
In summary, respondents noted that
their chief concern of protecting
patients from re-identification is diffi-
cult to solve given a lack of knowl-
edge and a lack of policy to achieve
compliance.
“De-identification [allows us] to
provide growth for our corporate
culture of compliance.”
-Anonymous survey respondent
13. 12
The growing demand to share health
data brings with it growing risks. The
proliferation of PHI and subsequent
requests for data is pushing the
boundaries of compliance as orga-
nizations try to satisfy demand. The
response has been to err on the side
of caution and keep data locked away.
Unfortunately, most organizations
still rely on rudimentary data manage-
ment approaches, such as data
sharing agreements and masking,
that fail to fully comply with data
protection laws and which fall far
short of emerging standards that
have universally recommended the
need for risk-based de-identification
when sharing data for secondary
purposes. The number of organi-
zations yet to embrace these more
advanced approaches to data
management is indicative of the slow
pace of change in the industry, partic-
ularly when it comes to information
technology.
Without a staff that is fully knowl-
edgeable of the tools and techniques
to share data safely, organizations
will continue to lack confidence in
their ability to protect privacy when
disclosing data. This should spur orga-
nizations to reduce their reliance on ad
hoc practices and seek out education
and expertise on better ways to respon-
sibly share sensitive data.
The results of the market survey are
indicative of the gap between regula-
tory requirements and the industry’s
preparation to meet them, as was
noted in a Deloitte Brief on privacy
and security of protected health infor-
mation.7 The HITECH Act introduced
a requirement for periodic audits of
covered entities and business asso-
ciates to check compliance with
HIPAA Privacy, Security and Breach
Notification Rules. The importance
of ongoing risk analysis will be a
central feature of these audits. A pilot
audit program conducted in 2013
showed that few healthcare organi-
zations had appropriate controls in
place and that the industry needed to
significantly improve its security and
privacy programs. With the perma-
nent audit program about to come
into existence,8 the clock has run out
on organizations that have delayed
the implementation of rigorous,
risk-based privacy protocols and
practices.
Those who are in charge of storing
and sharing PHI know that they must
do so responsibly. The responses to
this survey echo their struggles to
prevent patient re-identification and
meet regulatory compliance. Many
organizations feel unprepared to
responsibly store and share data for
secondary purposes, and thus, are
unable to advance analytics in their
organization. Those organizations
that have taken steps to improve their
understanding of de-identification
and follow emerging standards, like
the Health Information Trust Alliance
(HITRUST) and PhUSE guidelines, are
in an advantageous position in the
emerging field of healthcare analytics.
They will benefit from the ability to
broadly share data with small down-
side risk and confidently monetize
their data.
CONCLUSION
14. 13
Privacy Analytics sent a survey
invitation to approximately 8500
professionals in their database
who have responsibilities around
PHI. Recipients work in a variety
of settings, including hospitals
and other healthcare providers, at
healthcare payers, pharmaceutical
and device manufacturers, research
organizations and public agencies.
Responses were collected from 339
professionals over a nine-week period
from July to September 2015. Of
those 271 individuals completed the
survey, forming the dataset used in
this report. The margin of error for the
results is +/- 5.2%, at the edge of a
95-percent confidence interval.
In order to gather responses anony-
mously, the online survey software
SurveyMonkey was used. A link to
the survey was sent to recipients via
email and was also posted to the
Privacy Analytics website. Four out of
five people who initiated the survey
accessed it via the link in their email.
METHODOLOGY
15. 14
1 International Institute for Analytics and HIMSS Analytics. (2014, February 24). The
State of Analytics Maturity for Healthcare Providers: The DELTATM Powered Analytics
Assessment Benchmark Report. HIMSS Analytics. Retrieved from http://www.himssana-
lytics.org/sites/default/files/DELTA%20Powered%20Suite%20FAQ_June2015_0.pdf
2 ISACA (2015). Keeping a Lock on Privacy: How Enterprises Are Managing Their Privacy
Function. ISACA. Retrieved from http://www.isaca.org/Knowledge-Center/Research/Re-
searchDeliverables/Pages/keeping-a-lock-on-privacy.aspx
3 HealthLeaders Media (2015, April). IT and the Analytics Advantage: Managing Data to
Master Risk. HealthLeaders Media. Retrieved from http://healthleadersmedia.com/con-
tent/TEC-315376/Intelligence-Report-Slideshow-IT-and-the-Analytics-Advantagemdash-
Managing-Data-to-Master-Risk##
4 Prewitt, Edward (2012, June). HealthLeaders Media Breakthroughs: The Promise of
Healthcare Analytics. HealthLeaders Media. Retrieved from http://healthleadersmedia.
com/breakthroughs/281331/The-Promise-of-Healthcare-Analytics
5 Gartner (10 January, 2013). Gartner Predicts 30 Percent of Businesses Will Be Mone-
tizing Their Information Assets Directly by 2016. Retrieved from http://www.gartner.com/
newsroom/id/2299315
6 HealthLeaders Media (2015, April). IT and the Analytics Advantage: Managing Data to
Master Risk. HealthLeaders Media. Retrieved from http://healthleadersmedia.com/con-
tent/TEC-315376/Intelligence-Report-Slideshow-IT-and-the-Analytics-Advantagemdash-
Managing-Data-to-Master-Risk##
7 Deloitte Center for Health Solutions. (2014). Issue Brief: Update: Privacy and Security
of Protected Health Information Omnibus Final Rule and stakeholder considerations.
Deloitte LLP. Retrieved from http://www2.deloitte.com/content/dam/Deloitte/us/Docu-
ments/life-sciences-health-care/us-lshc-privacy-and-security.pdf
8 Dvorak, Katie (2015, September 3). OCR picks vendor for second phase of HIPAA audit
program. FierceHealthIT. Retrieved from http://www.fiercehealthit.com/story/ocr-picks-
vendor-second-phase-hipaa-audit-program/2015-09-03
REFERENCES