Video: Nearly a fifth of healthcare employees would sell patient data
April 7 is World Health Day, and the occasion warrants a closer look at the way healthcare-related data is managed. The challenges are laid out in the World Health Organization's bulletin on policy implications of big data in the health sector:
In the field of health-related big data, the public needs to be reassured that security measures are mandated and enforced. As new analytical models, data sources and stakeholders increasingly build into dynamic relationships, it may be helpful to think of health-related big data as an evolving ecosystem.
There are several challenges to the future development of this data ecosystem. Even basic health data can be misused and lead to discrimination, especially of vulnerable populations. The fair distribution of any new benefits that may arise from the collection and analysis of big data may also pose hard challenges.
Read also: Facebook's mea culpa tour, Cambridge Analytica and GDPR: The data game is changing before our eyes
The importance of healthcare cannot be overstated. Healthcare is not only tied to the most basic human needs, it also is a lucrative industry. There has been a "frenzy of health care-related dealmaking" recently, driven by data.
It has been noted that the healthcare industry dwarfs advertising at an estimated worth of $3 trillion, and it produces about 30 percent of the world's data. If advertising plus data has been the driving force for the likes of Google and Facebook, we can start to see what the stakes of tapping into healthcare data may be.
With the use of social media data in the limelight, it's a good time to project the kind of questions that apply there to healthcare data as well. How is data managed? Do users get to have consent over how their data is used? And do they get a cut out of the value generated by using that data?
We thought it would be interesting to address these questions to organizations involved in managing healthcare data. It turned out to be interesting indeed, starting with the fact that most of them did not address our request for comment. Some, however, did.
So, let's see what Raj Sharma, CEO of Health Wizz, and Evgeny Chereshnev, CEO and founder of Biolink.Tech had to say. Health Wizz is a mobile platform for aggregating, organizing, and sharing medical records. Biolink.Tech is a multi-functional wearable that helps track, manage, and implement personal information, and it helps track accesses, permissions, finances, and health indicators.
There is a wide array of health-related data. However, the form most of us are more familiar with is the Electronic Health Record (EHR). EHRs have traditionally been a pain point for healthcare professionals and patients alike.
But why is that so -- inappropriate or insufficient technology, lack of standards and data integration, or subpar processes, incentives and framework for data management and stakeholder coordination?
Read also: What is GDPR? Everything you need to know about the new general data protection regulations
Sharma notes that, for professionals, the problem surfaces when trying to coordinate patient care across two health systems, while for patients the problem is different:
"Because of HIPAA regulations, and in some cases because of competitive reasons, healthcare systems are reluctant to share data with hospitals in other healthcare systems. Even if sharing of healthcare data was possible across healthcare systems, lack of interoperability among EHR systems would render the data unusable.
For patients, the issue is different. Patients are not considered to be covered entities under HIPAA, and hence, HIPAA is not applicable when it comes to patients getting a copy of their data from the EHR.
Most providers today have patient portals from where patients can view, download, and transmit their medical records, including things like their Continuity of Care Document (CCD). Unfortunately, most patient portals are extremely difficult to use, and most patients are not even aware of their rights to their medical records.
Part of the reason why today's patient portals look like they were designed in the last century is because hospitals and EHR companies did the bare minimum to comply with the Meaningful Use requirements of the Affordable Care Act. It was government mandate, not patient demand, resulting in something that is really hard to use."
Chereshnev believes that traditional EHR used to be a good initiative:
"It simplified patient records searches, unified data formats, etc. But it's not up to date with modern technology. The trick with any centralized data is that it exists only in two states -- hacked or soon be hacked. When it comes to trust and cybersecurity -- we are far from being where we need to be.
Today the demand for very sensitive data is growing. If bad actors got their hands on data like this, they would potentially have leverage over their victims. We definitely need to review what EHR is and how it's managed. From a tech perspective, it needs to be dramatically improved -- decentralized databases have been here for years, but this approach is rarely used.
When it comes to human social engineering -- don't even get me started. It's very important to understand the rules for data management have to be discussed publicly, and people must have the right to vote on it; it's as critical as Brexit."
It is already clear that, even for EHR data, which has been managed for years already and should be relatively well understood, there is an interoperability issue. Is it lack of standards that's holding interoperability back?
Read also: Facebook: Cambridge Analytica took a lot more data than first thought
There seems to be an array of standards and related bodies there -- HL7, ICD9-10, HRBA, to name just a few. What part does each of those play, and is there anything missing from this picture? Health Wizz is a member of the HL7 FHIR Foundation, as well as HRBA, and Sharma had lots of insights to share:
"HL7 (Health Level Seven International) develops standards to provide a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery, and evaluation of health services.
FHIR -- Fast Healthcare Interoperability Resources is a next generation standards framework created by HL7 to leverage the latest in web standards. FHIR solutions are built from a set of modular components called 'Resources.'
Because these resources can easily be assembled into working systems that solve real world clinical and administrative problems, FHIR will go a long way to address the interoperability issues that have plagued the healthcare industry.
The Health Record Banking Alliance (HRBA) is a non-profit membership organization with the goal of establishing accurate, secure, and comprehensive health records that can be accessed by both patients and their health care providers under the control of the individual patient.
Health Wizz is an active member of HRBA and fully supports HRBA's vision of every consumer owning a secure, consolidated, digital lifetime health record that they can share with doctors, researchers, and others for better health and health care. Health Wizz is working with HRBA to address the problem of scattered health information plaguing consumers today.
On Dec. 13, 2016, the 21st Century Cures Act became the law of the land after the landmark healthcare bill sailed through both the US House and Senate with huge bipartisan majorities. The Cures Act will play a very important role in improving interoperability and driving consumer engagement and ownership of their health data.
The Cures Act stipulates that EHRs provide application programming interfaces (APIs), with the expectation that these APIs will enable access to clinical data 'without special effort,' enabling programmers to use standard tools to create innovative apps for consumers and providers.
We expect to see a lot of providers, EHRs, and healthcare innovators implementing these APIs in 2018. Even though the law does not explicitly state which APIs to use, there is enough momentum behind FHIR to be adopted as the de facto standard."
Biolink.Tech, on the other hand, does not work directly with EHRs, but Chereshnev did weigh in on the topic:
"In terms of standards, it is best to ask the authors of those, because before proposing a standard, they are obligated to analyse and consider all other variants. But what is most important to understand here is that technology today is not what it used to be in terms of evolution speed.
Standards used to be something untouchable, impossible to change. Thirty years ago, that was fine. Today, it's not. All standards must be reviewed at least once per year, as there is a huge chance that some tech made those obsolete in the best case scenario, and just very harmful to people in the worst."
Even though we've just scratched the surface, certain themes are beginning to emerge: Many issues in healthcare data management are not due to lack of technology, but more of a byproduct of business models and regulation. And patients are mostly out of the loop.
So, the $3 trillion question is: Is it really a good idea to let the Googles and Facebooks of the world take control of healthcare data, as they've done with other data?
Read also: Mark Zuckerberg: It's not hard to align Facebook's interests with user interests
"This is actually terrifying and here's why: Google and Facebook don't care what a third party is selling you -- they fulfill minimal legal requirements in background checks in order to ban all ads promoting racism, terrorism, and other forms of insanity. But, essentially, they don't care what Amazon is selling to you via Google ads.
With medicine, it's not supposed to work on a supply and demand type of logic -- people must visit doctors in order to get professional prescriptions for what is really required. I see a problem in the situation where healthcare would basically track your every move in order to upsell you anything you might need using very natural hooks based on your behaviour.
Healthcare must stay a heavily regulated industry, where all sales must be controlled by federal-grade, non-commercial organisations. Independent expertise and obligatory clinical research are two essential building blocks of healthcare, and I strongly advocate for it to stay this way."
Sharma says that, at Health Wizz, they believe users should have complete control of their health data, and they should be able to decide who they choose to share their data with:
"Health Wizz offers a free mobile application that helps individuals to aggregate their health records from several sources including wearables, EHR systems, and their genome.
Using the Health Wizz app, users create their own personalized health record (PHR), which empowers them to take ownership and control of their health data. For the first time, users are in complete possession of their medical records and this information moves with them wherever they go.
Once aggregated, Health Wizz enables users to organize their medical records, and then instantly share/donate/trade their medical records on a blockchain infrastructure. Users have complete control over who gets to see what part of their health data and for how long.
The blockchain infrastructure and smart contracts enable users to create a Health Information Exchange of One and trade their medical records using a digital token. Health Wizz even matches research organizations and pharmaceutical companies with individuals interested in participating in clinical research or precision medicine."
Blockchain, genomes, business models, and regulation -- nobody ever said this was going to be easy. What could be a way forward? How can business models and regulation work for the benefit of patients? And what will the effect of GDPR be on healthcare data?
More on that in the next part of this healthcare data special.