Nixon Law Group

View Original

Mining and Sharing Healthcare Data: What you need to know

Monetizing Valuable Patient Data Means Increased Attention to Protecting PHI

New technologies in healthcare brings new risks to the security and privacy of patient health data. Though most healthcare companies and Covered Entity providers are aware of the need for internal data security, many may not be in compliance when sharing information with third parties.

As providers and vendors find new and innovative ways of working together for better patient outcomes, the need for data sharing will only increase. It is critically important that all parties know when and how protected health information (PHI) is shared, and when patient authorization is required.

What is Data Mining in Healthcare?

Data mining is the analysis of large data sets for purposes of identifying patterns and predicting future events. This analysis plays an important role in making healthcare interventions more precise and powerful because it allows providers to identify potential problems early and prescribe the intervention most likely to be effective in preventing or treating those problems. In general, the more patient health information included in a data set, the better the predictive capabilities. This creates a powerful incentive for sharing patient data among parties for a larger, better data set.

Monetizing Patient Health Data

The monetization of health data refers to the use of patient health data for economic benefit. If PHI is shared in exchange for money, marketing, or some other benefit, requirements in addition to the standard HIPAA protections come into play. As you may know, HIPAA is the federal law governing the use, protection, and sharing of a patient’s protected health information. While certain uses of PHI are permitted without patient authorization — including use and disclosure for “treatment, payment, and health care operations,” otherwise know as the TPO exceptions — use of data in exchange for a benefit may require a patient authorization that specifically states the benefit derived from the disclosure and how the data will be used. This patient authorization must be a standalone document signed by the patient, rather than information contained in some other document such as a Terms of Use.

Research and Clinical Trials

Valuable data is often found in research and clinical trials. Again, special rules apply to this data. If personal health information is used in trials, providers must generally receive approval from an Institutional Review Board and obtain specific authorizations from the patient. Clinical trial data is typically “de-identified,” where all information that could be used to identify a particular patient is removed.

Contact us

Though it’s important to follow these regulations for privacy, it’s also important to ensure you have strong cybersecurity. Contact us to ensure you’re in compliance and discuss your cybersecurity needs.

Need help setting up compliant data privacy tools and processes? Click here to find out how we can help