Page 2 of 2
The Health Insurance Portability and Accountability Act (HIPAA) addresses data breach notification and proper security measures to protect personally identifiable information. But, it says little about how the data may be used, Health Quest's Shieldlower said. Until the regulations catch up Shieldlower urges organizations to govern data according to current policies in place, using standard security best practices.
"Electronic health record data governance will evolve differently than credit bureau data because there are fundamental differences in the business model that finances it," Shieldlower said.
Data governance standards for electronic health records are moving slower than standards for the credit card industry because there is immediate value in addressing the issue seen by lenders. The credit industry has only two main stakeholders in the form of lenders and borrowers. Healthcare data has a myriad of stakeholders including patients, researchers, insurers and healthcare providers.
Gaining consent from people to use the data in big data projects is becoming a thorny issue. Eight states are working on developing uniform standards for exchanging electronic healthcare information. In New York, people are not required to consent to having their data uploaded to a centralized patient information exchange program. A healthcare provider is required to get consent only to access the data, Carey, of New York Civil Liberties Union, said. As a result, many mental health providers, drug treatment clinics and other sensitive organizations are not participating in the system, she said.
Public health officials want access. Carey likens the problem to a large mail room at an apartment complex. Each mailbox represents a discrete piece of data: Does the public health department use the mail carrier's key rather than opening each individual mail box?
"Legislatures move very slow and our capability to aggregate collect and analyze all the information being collected it is moving so fast," Carey said. "Legislatures must accommodate the benefits while addressing the potential consequences."