Now that electronic health records have become the norm, healthcare providers — as well as healthcare systems and insurers — have access to unprecedented amounts of patient data. As a result, the practice of data mining, or analyzing data sets to identify trends and patterns, has become commonplace in healthcare, with the ultimate intent of improving patient care, improving efficiencies in the delivery of care, and reducing costs. Simply put, data mining has the potential to save lives and save money, but that doesn’t mean that it isn’t without risk.
As you might expect, using patient data for any purpose beyond providing care for the individual patient brings with it some tricky issues regarding privacy, and keeping the information from falling into the wrong hands. There are significant legal issues related to the use of patient data in data mining efforts, specifically related to the de-identification, aggregation, and storage of the data. Failing to take the appropriate steps when using personal health data as a tool for population health could lead to serious consequences, including a violation of HIPAA.
The question, then, is how to protect patient privacy while still gaining the insights that data mining can provide.
Protecting Patient Privacy for Data Mining
One of the major security concerns related to data mining is the fact that many patients don’t even realize that their information is being used in this way. Considering the way in which mined information can be used, this is of concern to many privacy advocates.
For example, in one noted example, Carolinas HealthCare, which runs more than 900 care facilities in the southern U.S., has purchased consumer data on more than two million people, which they use in algorithms to determine the risk for illness. The data includes purchase information collected from credit cards and consumer loyalty programs, as well as public records, to determine which people are at the most risk of getting sick. Providers can potentially use this information to remind patients to visit the gym more often, or encourage them to stop eating so much fast food. Other hospitals have used general demographic information about home and vehicle ownership or family makeup, to gain insight into a patient’s health and well-being, as well as identify potential barriers to care. However, what sets this type of data mining apart from healthcare data mining is that it’s data collected via other sources, and therefore not covered by HIPAA rules.
Still, many patients who have been contacted as a result of this type of data mining have noted that the practice feels intrusive. Even more intrusive is the potential for their personal health data to be used in this way, especially without their permission. Under HIPAA rules, data mining is a secondary, future use of health data, and thus requires the explicit permission of the patient before being used.
By the very definition, data mining is the process of looking for previously unknown patterns in data, so there is no way of knowing from the beginning what data is useful, or what relationships will be uncovered, meaning that there is potential for identifying information to be used or revealed. This highlights an important consideration when it comes to collecting and using personal information for data mining: Permission from the individual. Privacy advocates recommend offering patients the option to opt-in, opt out of specific uses, or opt-out entirely.