June 23, 2024
Protecting Health Data Without Harming Patients: Overcoming the Barriers That Limit Our Access to Our Personal Health Information

Empowering individuals to take a more active role in managing their health and improving health outcomes requires ready access to their personal health information (PHI). Unfortunately, a variety of  technology, financial, and policy barriers make it difficult to achieve this critical objective while simultaneously protecting health data. 

The lack of interoperability among the current electronic health record (EHR) technology platforms  is a key challenge to sharing data — as anyone who has ever tried to transfer PHI among providers in different health systems can attest. Siloing of data among disparate systems contributes to the fragmenting of care, increases the risk of suboptimal clinical decision making due to incomplete information, and perpetuates a care approach that treats individuals as a set of lab values or imaging scans rather than as a complete person. The Fast Healthcare Interoperability Resources (FHIR) has the potential to overcome these challenges. FHIR is a data sharing approach based on internet standards used in other industries, and allows information sharing between different computer systems regardless of how data are stored in each system. It is specifically designed to format health data and also is a free and open source system, which is essential for fostering health information technology innovation. Fully implementing FHIR will require investment in additional IT infrastructure but these costs would likely be recouped over time through reduced administrative costs, more efficient delivery of care, reductions in medical errors, and improved patient engagement and self-management.

The Health Insurance Portability and Accountability Act (HIPAA) plays a role both in hindering and enabling patients’ ability to access and share their health data. For example, restrictions on downloading/exporting data files, such as MRI, X-ray and other imaging results, lab results, and the repeated need to complete HIPAA forms for every episode of care and every time data needs to be shared with care providers or payers create burdens for patients and providers and present barriers to data sharing. It’s important to note that these challenges arise from how HIPAA has been implemented to date and are not inherent to the legislation itself. In fact, HIPAA compliance guidelines can readily accommodate alternative approaches that empower individuals to control their own PHI, including FHIR-based platforms and other technologies that enable seamless and highly secure data sharing. In fact, as written HIPAA empowers each individual to determine who can access their PHI. The challenge is that current permissioning approaches are cumbersome and driven by providers and payers rather than by patients. 

Moreover, HIPAA allows for de-identified data to be shared without permission. Such sharing can benefit research groups or corporate entities without providing compensation to the individual. Next-generation data sharing models should put the power of permissioning squarely in the hands of the individual while also creating mechanisms for compensation when the sharing of PHI benefits others. The reluctance to provide financial compensation for the use of PHI is another entrenched behavior that needs to be overcome if we are to empower the individual to maximize the health and monetary value of their health data.  

While many of the current barriers to sharing PHI have been erected in an effort to safeguard these data, the sad irony is that the centralization of PHI in large databases has actually made this information less secure by creating “honeypots” that attract hackers and cybercriminals. The recent ransomware attack on UnitedHealth Group’s Change Healthcare subsidiary is just the most recent example of the failure of current health data security approaches. This attack underscores the potential for these hacks to not only expose patients to the risks of identity theft and theft of medical services and benefits but to bring large portions of the health ecosystem to a grinding halt. As we seek new models for enhanced PHI sharing, we must rethink and redesign our approach to health data security. Concurrently, new policies and strategies must be designed and implemented to ensure the safe, accurate, and appropriate use of AI-based health technologies and communications tools. More effective and proactive cyber-protection protocols will also be essential for safeguarding PHI as we free it from its current silos.

Fortunately, new technologies that can overcome data sharing and safety challenges already exist, and are being used to enable several types of decentralized commerce (peer-to-peer payment services, non-fungible tokens, etc.). Applying decentralized technology to PHI would give control of health data back to the individual by consolidating an individual’s health information in a single location readily accessed by the individual, and supporting easy and flexible permissioning that enables the individual to determine when and with whom data are shared. This approach could make PHI more informative by enabling individuals to integrate data from wearable devices that offer real time insights into lifestyle, health risks and prevention of chronic illness (heart attack, asthma, and other cardiovascular issues) into their PHI portfolio. It also would prevent monetization of PHI without the individual’s consent while potentially creating new approaches that would compensate individuals willing to share their data for commercial purposes.

The availability of innovative technologies affords us the opportunity to chart a more patient-centric, efficient, and secure path to managing and leveraging PHI. Following this path will require patients, providers, payers, and policymakers to acknowledge that our current system is hopelessly broken and accept that new and disruptive solutions are urgently needed. We can protect health data without harming patients, or we can wring our collective hands when the next inevitable data breach occurs.

Photo: invincible_bulldog, Getty Images

Protecting Health Data Without Harming Patients: Overcoming the Barriers That Limit Our Access to Our Personal Health Information

Michael Dershem, aka Dersh, is a seasoned business development entrepreneur primarily in the healthcare and pharma space, has assisted multiple ventures and attracted millions of dollars of capital. Strong technology-transfer background from government and university research to private sector commercialization. Michael began his career over twenty years ago as co-owner of RX Returns, the first reverse distributor ever licensed by the FDA and DEA, which grew to become the largest pharmaceutical returns company in the nation. He later helped form a niche banking company. Dersh was founding CEO of Pharmasset, an Emory University start-up, that raised over $25 million in private equity funding and executed a $30 million research and development agreement with DuPont. Pharmasset subsequently went public and was acquired by Gilead Sciences for $11 Billion. Dersh graduated with a BA in Economics from Dickinson College and holds an MBA.

Leave a Reply