The lines between health data and consumer data are increasingly blurred as more technology companies venture into healthcare analytics and data processing.

Why does this matter? Because there are state and federal laws protecting healthcare data collected by a person’s insurance company or physician, but for-profit companies that may collect healthcare and other sensitive personal data are often not subject to these laws. In addition, healthcare companies subject to state and federal healthcare privacy laws are increasingly leaning on third-party technology companies to derive value or insight from the healthcare data they collect in ways that would surprise many consumers.

In a first-of-its-kind probe into Google’s relationship with health system Ascension, the US Department of Health and Human Services (DHHS) is looking into what, if any, responsibility healthcare companies have to notify patients and doctors about sharing their healthcare data with third-party analytics companies, particularly when the arrangement otherwise falls within the guardrails of federal and local privacy laws (e.g. HIPAA). The “internet outrage” prompted by the Wall Street Journal article about the Google/Ascension relationship has some in the industry wondering what the next steps are – will we see revisions to the regulations or more onerous notification requirements? What some see as an invasion or privacy, others see as a great opportunity to improve the healthcare delivery system. According to our own Rebecca Gwilt, quoted here in this Fox Business article, this sort of data sharing is “the new normal.”

Healthcare data analytics have been used in many ways over the years. Private insurance companies have used healthcare claims to determine actuarial risks and drive premium and reimbursement rate setting. Government payers, like Medicare and Medicaid, use claims data to set prospective payment rates, and over the last decade, they have been using claims data to help drive a shift to “value-based” healthcare, where providers are paid for the quality of the healthcare they provider, rather than the quantity. In fact, as we recently described in our articles on the proposed rules under the Anti-Kickback Statute and Stark laws, government payers are starting to broaden the potential of value-based payment models. However, value-based and quality-based healthcare is largely dependent on the use of healthcare data analytics. The unfortunate reality, despite legislation like the HITECH Act’s meaningful use provisions and the 21st Century Cures Act’s requirements for interoperability in EHR certification, is that technology has not yet caught up with the policy shift toward interconnected health data sharing. Instead, more and more distinct companies are moving into the healthcare data field trying to be the first to blaze a path in predictive data analytics, machine learning, and population health management.

What we learned from the Google/Ascension story was that Ascension, one of the largest health systems in the country – with millions of patient records spread over 40 data centers – began compiling those records and sending them to Google’s cloud-based data center where Google began to run analytics with a goal of coordinating care and improving Ascension’s patient outcomes. Its important to note that under HIPAA, Ascension can legally share that data for its own healthcare operations purposes, and both Google and Ascension have affirmed that they have operated under that limited purpose. What the public is most concerned about is that doctors and patients were unaware that Google was given access to this data. Under the law, Ascension is not required to notify patients, but must provide an accounting of who has been given access to the data if that accounting is requested by a patient. In our experience, most patients still do not understand that they have the right to request these disclosure accountings.

Google is not the only big data player collecting healthcare data though. Mastercard’s Brighterion is increasingly entering into data agreements with healthcare payers and providers to deploy its machine learning and artificial intelligence algorithms to solve healthcare delivery problems like predictive diagnosis and billing fraud and abuse. Amazon’s AWS cloud-based server is also being used across the pharmaceutical and device industry to optimize clinical trial design by synchronizing data from decentralized clinical trial sites. By decentralizing clinical trials, pharmaceutical research can include more clinically relevant populations from remote areas. Not only does this approach reduce the overall cost of the research, the ability to recruit more clinically relevant subjects will improve the efficacy and safety data. With better data, comes better products.

From a practical standpoint, using healthcare data to improve patient outcomes is almost universally accepted as a “good thing”. What consumers need to understand, and what we think healthcare providers can help shed more light on, is who the emerging players are in the data chain. While most people struggle to keep up with stories from consumer breaches from banks, retailers and internet providers, they want to ensure that sensitive healthcare data is protected. Healthcare providers should, and in some cases are required to, develop integrated healthcare data sharing networks that drive quality healthcare metrics. When these physicians, payers, and healthcare systems engage third parties to run these analyses, they need to evaluate the legal and the reputational risks associated with not disclosing that relationship to its patients. While privacy policies and HIPAA disclosure policies may generally speak about these types of relationships, some patients may need further explanation or assurances to help them understand the benefits that data analytics can bring to their healthcare outcomes.

While the probe into the Google/Ascension relationship is only just beginning, we will continue to monitor the reactions from law makers and policy leaders. In the meantime, healthcare providers and payers should review their privacy policies and data sharing practices and arrangements to ensure that they are following the narrow parameters that HIPAA, and other privacy rules, allows sharing patient-specific data without patient notification or authorization. We routinely draft and review these arrangements and policies.

If you are considering a data sharing arrangement with a third party, we can help structure that arrangement compliantly and help you understand the business risks associated with the particular arrangement. Contact us today!

Discover how we help digital tech companies anticipate and respond to evolving privacy regulations