Balancing health data sharing with protections: great medicine for quashing epidemics

In Singapore, public health officials publish online the locations of the residence, workplace and places recently visited by each newly confirmed coronavirus patient so that other citizens can take appropriate action to protect themselves and their loved ones.

In Taiwan, health insurance and immigration agencies combined the 14-day travel histories of local and foreign residents with their insurance card information, enabling healthcare providers and pharmacies to integrate those insights into personalized care. Officials also track the cell phones of self-quarantined patients to ensure they stay home.

And Hangzhou, the capital of China’s Zhejiang Province, has established health QR codes for everyone in the city that govern freedom of movement, based upon each person’s health status and risk factors. In all three areas, the coronavirus seems contained, and life is rebounding with normalcy.

These stories of Asian governments tracking individuals raise questions of privacy rights and ethical use – as they should. However, they also raise questions about what the U.S. could do if it weren’t hampered by the inability to quickly integrate data about individual patients.

Consider the highly individualized measures taken in Asia vs. the more generalized, broad-brush tactics in the U.S., where citizens are being asked to, in some cases, shelter in place or avoid gathering with more than 10 people. The U.S. must take this approach for multiple reasons, chief among them being the inability to quickly integrate data about individual patients. Our health data ecosystem comprises silos of data isolated within enterprises, making it difficult to share across institutions. In lieu of rapid, individualized action, U.S. officials must work with statistical models and educated assumptions that nonetheless can be wildly off target. The economic impact of these broad guidelines is only beginning.

Better health data sharing: An Rx for COVID-19 containment 

In theory, the industry should have been sharing data during the last 23 years, after the passage of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA gave individuals the right to own their healthcare data and share it with third parties as they wish. To protect these foundational patient rights, the legislation required healthcare organizations to protect that data from inappropriate and unauthorized disclosure.

While penalties were issued for data breaches, no real consequences were put in place for failing to share patient records quickly, conveniently and securely. Most institutions focused on data protection, often to the exclusion of data sharing. That emphasis is hurting us now in the time of coronavirus.

What if healthcare providers could know immediately that a patient has a health history and risk factors that could contribute to serious complications from COVID-19? Such data would help providers and communities quickly identify such high-risk individuals. Armed with that knowledge, they could take more effective, more individualized, less invasive measures to protect them from exposure to the virus.  The social and economic consequences of such sweeping approaches are now clearer than ever.

What if, in the epidemic after this one, we each had a health ID card linked to our comprehensive medical record? The card might contain a summary of our key health issues and, with our permission, unlock access to more detailed health data. That’s not necessarily science fiction: The healthcare systems interoperability rule just enacted enables significant data sharing among healthcare payers. We are transitioning from a past of near exclusive focus on healthcare data protection to a future of both data protection and data sharing.

The U.S. has barely scratched the surface of the data-sharing capabilities already built into HIPAA, let alone those made possible by the Department of Health & Human Services (HHS) Secretary waiving additional restrictions due to the national health emergency. 

Actions transcend words

Healthcare organizations can take the following steps to increase their health data sharing and more quickly flatten the curve on the spread of COVID-19.

• Know how you can and must now share data. HIPAA enables data sharing during emergencies, and HHS has waived some remaining restrictions. Immediately brief your organization on these changes. Bring in all the players with a say in how data is accessed, so it can be shared and protected simultaneously.

• Track HHS changes. The situation is fluid, to say the least. Designate at least one person to be wired into HHS to relay information about changing requirements, including which procedures are reimbursable. Create a process for implementing these changes in near real-time, yet with good governance and clear communication.

• Set up a communications command center. Ensure all players are working off an accurate and consistent fact base. Ensure that you create links between not just the HHS and your workforce but with public health agencies, other healthcare organizations in the area, and the media.

• Know the new security threats. Most of the industry’s data security measures focus on protecting data and limiting access to it. As healthcare organizations are making both short-term and long-term changes toward data sharing, new security risks emerge. Chief information security officers and chief physical security officers should be in the room to brainstorm potential threats, scams and vulnerabilities, and how to mitigate them.

• Learn your lessons well. The measures organizations take now to share data can be good learning opportunities for complying with the newly published interoperability rules. These rules require organizations to share data while preserving privacy and security measures. Use what you learn today to ready your organization for complying with interoperability – and preparing for the next pandemic. The present and future will reward agile organizations, regardless of official timelines for interoperability.

There’s a lot each of us can do – to make a difference and to safeguard ourselves within our unique spheres of influence. Healthcare organizations have a large role to play, particularly when it comes to shaping the potential of health data sharing in the healthcare industry.

Visit our COVID-19 resources page for additional insights and updates.