Health Data Privacy Gets the Attention It Deserves
The Partners in Privacy Conference gathered world-class experts to address some of health care’s most vexing problems.
John Halamka, M.D., president, Mayo Clinic Platform, and Paul Cerrato, senior research analyst and communications specialist, Mayo Clinic Platform, wrote this article.
The challenges involved in keeping patient and consumer health data private may seem daunting. Still, a recent virtual conference hosted by Mayo Clinic brought together over 80 world-class experts to address the issues. Their insights are worth a closer look.
During his opening remarks at Partners in Privacy Conference: The Ethical and Responsible Use of Data to Drive Cures (April 22, 2021). Gianrico Farrugia, M.D., CEO of Mayo Clinic, acknowledged the delicate balance required to respect the public’s desire to keep its data confidential and the health care community’s desire to use that data to improve patient care, “What the right thing is is not a simple question to answer — it is complex and can vary in different countries and even under different circumstances. A person may be less or more willing to share information and have a different view on data privacy at different times in their lives. What degree of data privacy seems right to a healthy 40 year is likely not going to be the same for that same person with advanced cancer or neurodegenerative disease. Moreover, the world of research and collaboration is changing. There are global opportunities for new partnerships among medical centers, industry and government that increasingly involve data sharing.”
With these concerns in mind, Dr. Farrugia introduced the keynote speaker, Micky Tripathi, Ph.D., MPP, the National Coordinator for Health Information Technology for the U.S. Department of Health and Human Services. Micky briefly reviewed the achievements of the HITECH Act and the implementation of EHRs around the country. Still, he also pointed out that the speed with which this rollout occurred has made us all realize that “technology has outpaced policy.” One of the ways in which this disconnect is being addressed is through the 21st Century Cures Act. As of April 5, 2021, the law now requires that providers, health care information networks, and technology developers give the public friction-free access to and control of their health data through apps. But that access also means patients can more easily share that information with third parties that are not required to follow the rules spelled out in HIPAA. And even when such data remains within the confines of a health care provider organization bound by HIPAA regulations, keeping it private and secure remains a challenge, despite the fact that there are ground rules on de-identifying it.
These challenges were among the many questions addressed by the four breakout groups that followed Micky’s presentation. We discussed privacy laws and regulations; state-of-the-art methods for protecting data privacy used to advance health care; consumer and patient attitudes about privacy; and balancing privacy protection with the benefits of research and commercialism. The lessons learned from the conference will be presented in a white paper that is currently being developed by the thought leaders involved in the project. But in lieu of that, consider a few takeaways:
- Patient consent will evolve. In the future, there will be more granular control options; we will likely go from a black and white consent decision to a few more controls based on the use of the data and the actors who have access to it.
- There will be more transparency in data use. That can take the form of a “nutrition label” type description for every algorithm that clearly spells out the data used to create it, as well as its performance and characteristics.
- Technology is evolving, with machine learning and natural language processing accelerating very quickly. It will fundamentally change how we deliver care, but it will also mean more data being used for more purposes. It is incumbent upon us to keep that data safe and to respect patient preferences as we develop algorithms. Fortunately, privacy and security technology is evolving as well, including advances in de-identification, encryption, allow lists and tokenization. However, the conference attendees emphasized that these approaches are imperfect, which means we will need a multi-layered approach.
Cris Ross, the CIO at Mayo Clinic, summed up many of the observations gleaned from the conference: “We came into this conference wondering whether matters of law, regulation, policy, technology, and market practice are fully established, or if there’s a need for further exploration and consensus. We concluded there is a need for more exploration, and a need for a group like this to help create a consensus, with the goal of advancing cures with the ethical use of data and preservation of patient privacy?" Cris emphasized that this virtual meeting demonstrated that this need exists and we would like to issue a call to other leaders in this field to advance the agenda. Partners in Privacy Conference: The Ethical and Responsible Use of Data to Drive Cures was only the first step in a journey that will require the input and expertise of stakeholders around the nation and the world.