Watch the webinar here: http://www.screencast.com/t/6E1ZgTOb Deven McGraw, Partner at Manatt, Phelps & Phillips, discussed privacy and security concerns in regards to the liberation and usage of health data. There is enormous potential to glean valuable insights from large data sets of health (and health-related) information - but the collection and use of health information for analytics purposes raises privacy and security concerns. Solution of these issues is key to realizing the benefits of health big data. This presentation will focus primarily on some of the regulatory challenges to learning uses of clinical and administrative claims data but also touch on challenges to big data analytics in other contexts (for example, government data and data collected by consumer-facing commercial entities like mobile health apps, social networking sites, search engines, and other personal health tools). Discover more health data resources on our website at http://www.healthdataconsortium.org/

1. HDC Webinar Series
Addressing Privacy and Security Concerns to
Unlock Insights in Big Data in Healthcare
Deven McGraw, Manatt, Phelps & Phillips, LLP
Introduced by Dwayne Spradlin, CEO Health Data Consortium

2. Addressing Privacy and Security Concerns
to Unlock Insights in Big Data in Healthcare
Deven McGraw, JD, MPH, LLM
Partner
Manatt, Phelps & Phillips, LLP

3. Health “Big Data”
 Data analytics conducted by “traditional health care system” is regulated
by HIPAA.
 Health data (and data with health implications) collected, used and
disclosed by consumer-facing and non-health care system entities is not.
 FTC has authority to address unfair or deceptive practices engaged in by for-profit
companies; also enforce HITECH data breach notification for personal health record
vendors & related apps.
 Aim should be to support and build public trust in data analytics that
advance the learning health care system.

4. How does HIPAA govern analytic uses of data?
 HIPAA applies only to individually identifiable health information – data that
is “de-identified” per HIPAA standards is not subject to any regulation.
 “Limited Data Sets” (the close cousin to de-identified data) are permitted for
research; data holders are required to execute data use agreements;
individual consent typically not required.
 We are familiar with research networks that rely on these data types – but
not always ideal for all types of research

5. HIPAA & Analytics (cont.)
 Before fully identifiable information can be used for research purposes, the
patient’s authorization must be obtained (currently authorization must be
study specific – but Omnibus rule allows for authorizations for future
research, as long as that future research is “sufficiently described”)
 Can be waived by a Privacy Board or IRB if too difficult to obtain authorization, risk to
privacy is considered to be low, and benefits are high
 Some exceptions (review of data onsite in preparation for research, research on
decedent’s info, and use of limited data set)
 Scope of new rule uncertain

6. HIPAA & Analytics (3)
 Uses and disclosures of identifiable health data for “health care operations”
do not require individual consent or authorization
 Includes conducting quality assessment and improvement activities, including outcomes
evaluation and development of clinical guidelines; population-based activities relating to
improving health or reducing costs
 However, if “obtaining of generalizable knowledge” is a primary purpose of these
activities, it is considered “research” and not operations

7. The Common Rule
 Applies to federally funded research (or research in federally funded
institutions) on identifiable data
 Includes health services research
 Review of IRB (either full or expedited) required
 Consent required, although can be waived if:
 The research involves no more than minimal risk
 The waiver will not adversely affect the rights & welfare of subjects
 The research could not be practicably conducted w/out the waiver; and
 When appropriate, subjects are provided with additional info after participation.

8. The Common Rule (cont.)
 ANPRM sought comment on fairly significant changes
 Research on data collected for clinical purposes but secondarily used for research
purposes would be exempt from requiring IRB approval –one-two page registration of
study with IRB/institution required instead
 If data are identifiable, consent is required (but general consent would suffice);
 Rely on HIPAA for standards of identifiability
 Require adoption of data security protections
 Biospecimens collected for clinical purposes – requires consent for research even if not
identifiable
 Unclear if/when proposed rule will be issued…

9. Issues with Current Federal Legal Frameworks Governing
Health Data Analytics
 Genuine confusion about application of the rules
 Overly conservative interpretation of the rules – in most cases,
HIPAA says “can” not “must”
 Health services research often requires multiple sites to work
together – typically not easy
 Data as an asset
 Data holders have a legal responsibility to protect; variances in risk tolerance
 Differences in state law can also create obstacles

10. Research vs. Operations
 HIPAA
 Health care operations includes “conducting quality assessment and improvement
activities, including outcomes evaluation and development of clinical guidelines, provided
that the obtaining of generalizable knowledge is not the primary purpose of any studies
resulting from such activities.” (emphasis added) Also includes “population-based
activities relating to improving health or reducing health care costs, and protocol
development.
 Research is a “systematic investigation, including research development, testing, and
evaluation, designed to develop or contribute to generalizable knowledge.”
 Common Rule has the same definition for research.

11. Paradox
 Two studies using data for quality improvement purposes: both use the
same data points, are done to address the same question or sets of
questions, and are done by the same institution. They will be:
 Treated as operations if the results are only intended to be used internally
 Treated as research if a primary purpose is to share the results with others so that
“learning” may occur.
 Guidance on “primary purpose” allows for a later change in plans – but initially you
have to intend to be doing only operations
 How does this advance both the learning healthcare system and
protections for data?

12. Health IT Policy Committee (HITECH) Comments to Common
Rule ANPRM
 Use of clinical data to evaluate safety, quality and efficacy should be treated like
operations, even if the intent is to share results for generalizable knowledge, as long
as provider entity maintains oversight and control over data use decisions.
 Entities should follow the full complement of fair information practices in using PHI
for these purposes.
 Recommendations provided some examples of activities with clinical data that
should be treated as operations – but also acknowledged further work was needed to
determine a new line for when analytics with EHR data should be treated under more
robust rules.
Recommendation letter of 10/18/11 - http://www.healthit.gov/policy-researchers-implementers/health-it-policy-
committee-recommendations-national-coordinator-heal

13. Criticisms of Current Legal Requirements
 Regulations should ideally be based on risk – risk with respect to the
intervention being studied and risk with respect to privacy & confidentiality.
 De-identification is an important data protection tool but it is not infallible (still
very low risk of re-identification; some types of “data” raise more risk).
 Failure to address broad spectrum of fair information practices – more
emphasis on consent, data identifiability.
 No incentives in the law to pursue privacy-protective data sharing
architectures.

14. Fair Information Practices – Markle Common
Framework
 Openness and transparency
 Purpose specification and
minimization
 Collection limitation
 Use limitation
 Individual participation and control
 Data integrity and quality
 Security safeguards and controls
 Accountability and Oversight
 Remedies

15. Potential Paths Forward
 Increased focus on discriminatory/harmful uses (but don’t ignore risks
inherent in collection)
 At least experiment with different frameworks for protecting privacy in
research using clinical data
 Rely less on consent and instead pursue other models of patient engagement (e.g.,
input into research; greater transparency re: research uses of data; requirements to
share results with patients)
 Mechanisms of accountability/oversight (Canadian model (PHIPA), voluntary research
network governance models, accreditation)
 Incentives to pursue privacy-enhancing data sharing architectures
 Study their efficacy in building and maintaining public trust in research.

16. White House Big Data Report
 Released May 2014
 Distinction between “big data” and “small data”: Big data is characterized
by 3 Vs (Volume, Variety, Velocity)
 Other key observations:
 De-identification is insufficient to protect privacy in big data analytics
 Meta data raises significant privacy issues – should not necessarily treat as less risky
then content
 Focus on assuring responsible uses, vs. trying to control collection; role of notice and
consent should be re-examined.

17. White House Big Data Recommendations*
 Current policy frameworks may work well enough for small data, but they
do not meet the challenges of big data, including in health:
 “The complexity of complying with numerous laws when data [is] combined from
various sources raises the potential need to carve out special data use authorities for
the health care industry if it is to realize the potential health gains and cost reductions
that could come from big data analytics.” (p. 23)
 Government should lead a consultative process to assess how HIPAA and
other relevant federal laws and regulations can best accommodate the
advances in medical science and cost reductions in health care delivery
enabled by big data.
*partial list

18. White House Big Data Recommendations
 Advance the Consumer Privacy Bill of Rights, including drafting of
legislative text
 Pass national data breach legislation
 Government data is a national resource and should be made broadly
available to the public whenever possible – while continuing to protect
personal privacy, business confidentiality and national security.
 All departments and agencies should examine how they might best harness big data
to help carry out their missions.
 We should increase investment in R&D on privacy-enhancing
technologies.

19. PCAST Big Data Technology Report
 Policy attention should focus more on the actual uses of big data and less on its
collection and analysis.
 Policies & regulation should not embed particular technological solutions but
should instead focus on intended outcomes.
 Relevant gov’t agencies (NITRD) should strengthen research in privacy-related
technologies & relevant areas of social science that inform their application.
 US should encourage increased education and training opportunities in privacy
protection.
 U.S. should take the lead by adopting policies that stimulate the use of privacy-
protecting technologies that exist today.