Why there’s a growing urgency for patient-centric data exchange
As patients clamor for more of their information, it’s time to shift the focus from systems to patients in secure healthcare data exchange.
In some respects, healthcare is a great equalizer. Whether you are a U.S. senator or a blue-collar worker, a colonoscopy is still a colonoscopy.
Because nearly every person who lives in the U.S. — including those of us who work in the healthcare industry — is a healthcare consumer, it’s intriguing that healthcare data exchange is not more patient-centric.
Maybe it’s because many of us don’t often stop to consider how our data is used, or the importance of safeguarding our health data and what it could mean for us if that data is breached.
Or, maybe it’s because while there has been an increasing emphasis on getting more data to patients and empowering them to take a more active role in their care decisions (think 21st Century Cures Act), there has been less of an emphasis on how patient privacy can be safeguarded as it is shared with various entities using myriad technologies.
As someone who works to ensure secure, privacy-centric data exchange, I believe we must push towards more patient-centric data exchange if we are going to empower and protect patients, which I think we can all agree is a worthwhile, important goal.
What makes data exchange patient-centric?
Data exchange is patient-centric if it meets one of two litmus tests – if the patient is in control of the data exchange, or if the focus of the data exchange is the patient, and only the patient.
What does that look like, practically? When a patient is in control, they knowingly understand or have given their consent to the reasons for which their data will be used.
Often, as patients, we have a brief conversation with someone in reception at the doctor’s office and sign an e-signature pad or paper form in response to statements like, “This document tells you about our privacy practices.” Or, if the receptionist has had a long day, maybe, “Sign here to consent to treatment today.”
Many of us don’t ask to read the actual documents that outline the rights we have and the rights we are giving up — on how our data can be used — before we sign off.
Asking someone to give consent to their data being used without educating them about how their data may be used is decidedly not patient-centric data exchange. The holders of the data may be off the hook legally for how they use that data when they obtain the patient’s signature, but they haven’t empowered the patient to understand how and with whom their data may be shared.
When the focus of the data exchange is the patient, the patient is the central reason the data is being exchanged. There are plenty of ways that data is shared that meets this definition – when medical records are sent to a new provider so they have a fuller picture of a patient’s medical history; when patient information is sent from a provider to a lab; or when information is shared with the patient’s insurer so they can pay for care the patient received.
Not all cases for which data is exchanged need to focus on the patient. There are many worthwhile causes — research, for one — for which people or entities want patient data even though a singular patient isn’t the focus. However, when the patient isn’t the focus of the data exchange, the patient needs to have more control and be able to say “yes” or “no” to their data being shared.
In all cases of data exchange, we should strive to use de-identified data when possible. There are many use cases today — certain quality measures, for example — where de-identified data can serve the purpose just as well as identifiable data.
The first pass is at a population level, it doesn’t matter who the patient is, just that they are part of a cohort. We should be looking at a numerator of the number of patients that had some type of care (for example, a certain screening), over a denominator of the number of patients that should have had that screening done. It doesn’t matter whether Mike Arce was the patient or John Doe. When it comes time to intervene, then it would be appropriate to use identifiable data.
Clearly, the industry can and should be doing a lot more to follow the vision of sharing “minimum necessary” data.
Concerns about patient-centric data exchange
As patients, we should be concerned about how our healthcare data could be used against us.
If our data is breached, not only will we probably deal with ads that target our conditions (what I would consider a minor inconvenience), but we are also at risk of having our identity stolen or potentially weaponized against us.
It’s in the best interest of patients when those transmitting data are committed to patient, privacy and security-centric data exchange.
For those that exchange healthcare data, there is no annual HIPAA certification, anyone can be audited, and HIPAA violations are extremely expensive. It’s fiscally responsible and reputationally imperative to have strong privacy policies and protocols in place that safeguard patient confidentiality and foster patient-centric data exchange.
Making data exchange more patient-centric
Privacy and security teams within the healthcare system are in a tough spot. They make decisions and implement programs, policies and technologies that ensure their organization complies with all local and federal privacy laws. That’s a monumental and extremely significant role.
Because privacy and security teams aren’t bringing more patients to the organization with their stellar privacy programs, they are often tasked in that role with extremely important responsibilities and very limited resources.
That’s where having a data exchange partner that understands the importance of privacy, security and patient-centric data exchange — and how to make it happen — is critical.
With the privacy and security team’s limited resources, a data exchange partner can establish controls to ensure the right data is shared at the right time to the right people, and that data is not shared when it shouldn’t be. The right data exchange partner should expertly marry connectivity with control, giving the privacy and security team the peace of mind that comes with being able to say, “We do everything in our power to protect and safeguard the data entrusted to us.”
What could data exchange look like?
We’ve got a long way to go to make healthcare data exchange not only privacy and security-centric, but also patient-centric.
We can take steps now, however, to move the needle in that direction.
We can do a better job of educating patients on their rights to their data and how to flex those rights.
We can use the power of technology to more explicitly ask patients if it’s okay to use their data when the focus of the exchange is not the patient. We’re all used to seeing “cookie” pop-ups when browsing the internet these days; why couldn’t we receive messages via a patient portal asking us for permission to use our data for research, an operational initiative or other purposes? On an extreme end, could we create a closed-loop and require an annual audit of all data exchanges, access, or sharing for patients to review?
We can de-identify data and do a better job sharing only the minimum necessary data. If de-identified data can serve a purpose just as well as identifiable data, it should be the default.
Finally, and perhaps most simply, we can take an empathetic approach to data sharing. Too often, there’s a lack of regard for the patient’s situation. We take broad approaches to how we handle things. In the end, every patient and individual situation is different. We need to give more power back to the individual patient as to how their data is shared and with whom.
We need to do all of that without adding to healthcare’s administrative burden or driving up costs. It’s not an easy task, but it’s clear it’s becoming increasingly critical.
Mike Arce is the chief administrative officer at Moxe Health, an interoperability company that focuses on privacy- and patient-centric clinical data exchange.