Striking a balance: HDUs as the future of data privacy and interoperability
In an era of polarizing health data debates, health data utilities emerge as the keystone for patient consent management and data exchange.
Note: This article is part 1 of a 3-part series that takes a deep dive into HDUs. Continue exploring HDUs and how they can optimize health management in part 2.
Recent headlines, particularly around reproductive health laws, have catapulted the issue of health data exchange mainstage. As differing opinions about what constitutes health data and what the need of exchanging such data persist, stakeholders are scrambling — unfortunately, it’s polarizing patients, providers and communities against critical policies and hindering initiatives that improve the health of our populations.
As a woman and a lawyer, I am especially concerned with securing and obtaining consent for exchanging sensitive health data, but this knee-jerk reaction is fueling frustration and confusion across those providing care and those receiving it. It has created a dichotomous reaction where the “solution” is to stop data flow entirely. In other words, we believe we can only have one or the other – privacy or interoperability, all our data or none of it.
Thankfully, there is a better way to solve the need for agile data exchange that requires neither stopping data flow nor exchanging sensitive data without patient consent – health data utilities (HDUs).
Supporting not siloing
For a decade, federal investments have aimed to increase health data interoperability efforts to improve health outcomes. And, as evidenced by an onslaught of recent research, a person’s wellbeing is influenced by a plethora of factors, including social determinants of health, which account for nearly 80 percent of patient outcomes.
Collaborative efforts have focused on breaking down barriers that keep these crucial data locked in different siloes. Comprehensive patient data that include social, clinical and public health are paramount in identifying the correct treatment plan for specific patients and populations, along with coordinating access to the services and supports they may need.
For example, roughly one in 12 children have pediatric asthma, but children of color are more than twice as likely to be hospitalized. While prolonged exposure to irritants and inconsistent medication use are the leading causes of acute asthma attacks, clinicians lack insight into patterns of hospitalization that could alert them to environmental or financial conditions that cause repeated emergency intervention. Without this, they cannot facilitate connection to wrap-around services available to prevent these repeated hospitalizations.
Conversely, public health agencies may be aware of areas or populations with increased needs, but they may not be able to capture the clinical data to ensure the patients are pushed upstream into the hands of social and community organizations that can provide interventions and other support services.
Without a way to proactively get the right data into the right hands of the right providers who can act on it, high-risk populations are left to deal with these challenges on their own, often with substandard results.
Data control and patient consent
While there’s consensus supporting comprehensive data exchange, the debate magnifies when the ethics of sharing patient information become less straight-forward. Maryland and Oklahoma are two states that reflect recent tensions around this debate.
In Maryland, new legislation would restrict the flow of reproductive data, absent patient consent, in electronic health records because of concerns these data could be accessed – and potentially criminalized – on national networks. Meanwhile, in Oklahoma, as the state passed a new law requiring providers to share data to a state exchange, patients and providers alike protested, objecting to the mandate to share behavioral health information.
In both instances, the message from providers and patients is clear: “If data continues to be shared without my control and consent, I will not share it.”
To complicate matters further, national data exchange practices have been in place for years. The Centers for Medicare & Medicaid Services already incentivizes — and, in some cases, requires — the sharing of data and the 21st Century Cures Act enacted by the Office of the National Coordinator for Health IT (ONC) prohibits information blocking.
Now, patients want greater control over which data is shared and when. So, too, do providers. Yet what is sensitive in one state may not be considered sensitive in another. What is sensitive to me may not be to you. While it’s legal for women in my state to obtain reproductive services, what happens if they move to a state where it’s illegal?
And while the ONC’s Trusted Exchange Framework and Common Agreement (TEFCA) may — once it is operational — address the exchange of some types of sensitive data, it is limited to federal-level oversight, leaving data privacy and controls still largely within each state. Without localized state regulatory protections, patients become vulnerable — with no consent or control over where their data is being shared.
A privacy-centric solution
HDUs are emerging as part of the fabric of interoperability in some states, while offering a pathway to state-based consent management.
These public-private entities, often nonprofits, offer streamlined, secure access to trusted data for key stakeholders to combine, enhance and exchange health data electronically across settings, providing a foundation for strengthening quality of care, care coordination and community and population health interventions. HDUs offer an alternative to the thousands of point-to-point data-use agreements that would have to be implemented to otherwise provide the same connections across public, social and clinical health organizations.
These neutral entities often created from already existing infrastructure, such as in Maryland, can be regulated by law to stand at the intersection of public and state interest. As such, they are well-equipped and agile enough to serve as the solution to consent management as the nation moves toward a landscape where patients can control their data on a granular, data type by data type, level.
And, because privacy laws are different in every state, HDUs could be a vital asset for each state providing local governance among interested parties – ensuring control and accessibility over the data their populations deem sensitive. These entities empower policies that effectively improve public and population health, without having to resort to fear-driven regulations that hinder data exchange to protect data.
If we continue to encourage the widespread sharing of health data without appropriate safeguards and patient choice, both patients and providers will opt out of data sharing entirely, reverting a decade of innovation to build upstream solutions that support whole-person care and our most vulnerable patient populations – a potentially catastrophic outcome.
Health data utilities offer the right equilibrium for states to mitigate data privacy concerns while protecting the health of those most in need of assistance – in one simplified solution.
Nichole Sweeney, JD, is chief privacy officer at CRISP Shared Services, which provides HIE technology infrastructure to six states in the U.S.
Note: This article is part 1 of a 3-part series that takes a deep dive into HDUs. Continue exploring HDUs and how they can optimize health management in part 2.