Healthcare Data Privacy and Security in the Era of Big Data John P. Houston, J.D. Vice President, Privacy & Information Security, Associate Counsel University of Pittsburgh Medical Center Adjunct Assistant Professor of Biomedical Informatics University of Pittsburgh School of Medicine

Learning Objectives Identify privacy considerations associated with big data. Compare/contrast privacy rights associated with the use of identifiable and de-identified data in analytics and research. Differentiate between societal rights verses personal privacy rights in the use of big data in analytics and research. Explain the role of autonomy in the use of big data for analytics and research.

What Is Your Opinion? (VIDEO)

Electronic Records - Global Availability Smartphones, iPad, IoT – the accelerating evolution of transformative technologies. Growth of Smartphones Ability to push large amounts of data to the device anywhere in the world – as long as there is an internet or cellular connection. These devices are going to be transformative…

Electronic Records - Global Availability Cloud Services– Providers are becoming increasingly dependent on internet-based services (SaaS, IaaS PaaS ASPs, etc.). Enterprise Cloud Services

Electronic Records - Global Availability Consumer engagement – Consumers expect to engage their providers and payers through the Internet. At the end of the day, these examples speak to a substantial change in the manner in which we process data. No longer is data going to solely reside within our data center or on our internal network. Overall, the complexity of the environment is increasing dramatically.

Electronic Records - Global Availability Data Explosion – there is a substantial increase in the amount of data that is collected and disseminated. Ability to push large amounts of data to the device anywhere in the world – as long as there is an internet or cellular connection. These devices are going to be transformative…

Questions What is Privacy? What is Confidentiality? What is (Information) Security?

Security, Privacy & Confidentiality Privacy - the state of being free from intrusion or disturbance in one's private life or affairs. (Random House Dictionary) Confidentiality - The ethical principle or legal right that a physician or other health professional will hold secret all information relating to a patient, unless the patient gives consent permitting disclosure. (The American Heritage® Stedman's Medical Dictionary) Security - Protection against unauthorized access to, or alteration of, information and system resources including CPUs, storage devices and programs. (Free On-line Dictionary of Computing)

Security, Privacy & Confidentiality Practically Speaking….. (Information) Security Keeping the bad guys out. Privacy Confidentiality Making sure that those people who have access to information, only use the information for appropriate purposes.

Societal Rights vs Individual Rights Privacy Is a Balance. An individual’s right to have his / her information kept confidential. A provider’s need for information to support the delivery of effective and efficient healthcare. Public / societal interests. In good faith people have substantial differences of opinion regarding the value and importance of privacy. Practically speaking privacy is not an absolute

Autonomy Autonomy - an individual’s capacity for self-determination or self-governance. Personal autonomy - the capacity to decide for oneself and pursue a course of action in one’s life. Internet Encyclopedia of Philosophy

Autonomy – The Belmont Report  B. Basic Ethical Principles 1. Respect for Persons. -- Respect for persons incorporates at least two ethical convictions: first, that individuals should be treated as autonomous agents, and second, that persons with diminished autonomy are entitled to protection. The principle of respect for persons thus divides into two separate moral requirements: the requirement to acknowledge autonomy and the requirement to protect those with diminished autonomy.

Autonomy – The Belmont Report  B. Basic Ethical Principles 2. Beneficence. -- Persons are treated in an ethical manner not only by respecting their decisions and protecting them from harm, but also by making efforts to secure their well-being.

Autonomy – The Belmont Report An autonomous person is an individual capable of deliberation about personal goals and of acting under the direction of such deliberation. To respect autonomy is to give weight to autonomous persons’ considered opinions and choices while refraining from obstructing their actions unless they are clearly detrimental to others. To show lack of respect for an autonomous agent is to repudiate that person’s considered judgements, to deny an individual the freedom to act on those considered judgments, or to withhold information necessary to make a considered judgment, when there is no compelling reason to do so.

Value - Why is Big Data Different? Volume Complexity Use interest Business/commercial Value Inference power

Risk - Why is Big Data Different? Most activities involving big data will involve the use of existing data sets. Is there an opportunity for individuals to provide informed consent? The risk to each patient remains the same whether small cohorts or large cohorts are used. However, large cohorts either (a) increase the number of individual affected, or (b) the likelihood that an individual may be affected. “Data Numbness” – there is so much data and so many people want to use it for so many purposes, that some people become numb to both the risk and rights of individuals.

The “Big Three” Research Quality Improvement / Quality Assurance (QI/QA) Health Care Operation (HCO)

The “Big Three” Research – An activity designed to test a hypothesis, permit conclusions to be drawn, and thereby to develop or contribute to generalizable knowledge. Quality Improvement - Quality improvement (QI) consists of systematic and continuous actions that lead to measurable improvement in health care services and the health status of targeted patient groups. Healthcare Operations -Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions: (1) Conducting quality assessment and improvement activities; (2) Reviewing the competence or qualifications of health care professionals; (3) underwriting, enrollment, premium rating, and other activities; (4) Conducting or arranging for medical review, legal services, and auditing functions; (5) Business planning and development; and (6) Business management and general administrative activities.

Research and Big Data What is the role of the Common Rule and the IRB in the oversight of research data use? Privacy is one human subjects protection that the IRB is responsible for considering. HIPAA allows for an IRB or Privacy Board to grant a waiver of authorization for the use of identifiable data. What is the threshold for the use of identifiable data in research? Is convenience a factor in allowing a waiver? How do we address massive data sets where some level if identification is necessary? What are the rights of deceased individuals?

QI and Big Data What is the threshold for the use of identifiable data in QI? HIPAA sets a “lower bar” for QI. No approval is required. However some institution require QI committee oversight. Who should evaluate QI activities and provide oversight? How do we address massive data sets where some level if identification is necessary? What are the rights of deceased individuals?

Healthcare Operations and Big Data What is the threshold for the use of identifiable data for HCO? HIPAA sets a lower bar for HCO. No approval is required. How do we address massive data sets where some level if identification is necessary? What are the rights of deceased individuals?

The Role of Data Governance Data governance (DG) refers to the overall management of the availability, usability, integrity, and security of the data employed in an enterprise. A sound data governance program includes a governing body or council, a defined set of procedures, and a plan to execute those procedures. Data governance provides a structure for classifying data. Data governance allows for an organization to decide how data is used in a methodical fashion. Decisions regarding data are aligned with the individuals within the organization whose functions “own” the data. For example, the CFO would own financial data.

Identified vs De-Identified Data Should individuals have concerns regarding data that has been properly de-identified? Can the patient be harmed by data that is properly de- identified? Genetic data de-identification – is that actually possible?

Security Considerations Securing data the does not differ when considering small and large data sets. Each deserves the same rigor. The number of individuals affected by the breach or inappropriate use of a Large data sets is significantly greater. Does this increased risk affect the decision whether de-identified data should be used? Or, if the activity should be undertaken?