Proposed HIPAA Privacy Rule changes in the 21st Century Cures Act could lead to elimination of the requirement to de-identify patient data that's used or disclosed for research purposes, raising questions about whether that data will be at a higher risk for breaches, warns data de-identification expert Khaled El Emam.
The 21st Century Cures Act, as well as the Obama administration's Precision Medicine Initiative, are among government-led efforts aimed at advancing medical innovation by removing research collaboration hurdles so that improved treatments can be more quickly developed.
A provision of the 21st Century Cures bill, which was passed last year by the U.S. House of Representatives and is now pending in the Senate, calls for changes to the HIPAA Privacy Rule that would allow patients' protected health information to be used or disclosed by a covered entity or business associate for research purposes without authorization by the patient.
Currently under HIPAA, the only purposes for which PHI is permitted to be used or disclosed without patient authorization is for treatment, payment or business operations. When complex data sets containing PHI are used or shared for secondary purposes, such as research, HIPAA currently requires a covered entity or its business associate to de-identify that information so that it's not individually identifiable to specific patients, to help protect their privacy.
Possible Side Effects
A possible side-effect of the HIPAA changes proposed in the 21st Century Cures bill is a watering down of that de-identification requirement, putting PHI at a higher potential privacy risk when used for research, El Emam contends in an interview with Information Security Media Group (see audio link below photo).
"A lot of these efforts are pushing for greater access to data, and using data to accelerate research ... by getting access to multiple sources," he says. Under the current HIPAA framework, researchers can have access to this data as long as it's de-identified, he notes. "Some of the efforts underway now, such as the 21st Century Cures Act, are proposing changes to HIPAA, and some of the changes won't necessarily help increase access to information, and instead have unintended consequences."
For example, if the de-identification requirement for PHI disclosed or used for research purposes is lifted, he says, "this will allow a lot more PHI to be shared with researchers at different organizations, external organizations, companies - without any de-identification. As a privacy person, this is a huge red flag because it will allow a large amount of PHI to be floating around with very few controls we have been accustomed to being put in place. And if you loosen the controls, I think it becomes very dangerous, very risky. The flipside is that we can share a lot of data under the existing legal framework through data de-identification."
But because large amounts of data are being collected by medical institutions, de-identification would continue to play an important role for the security and privacy of PHI used for other secondary purposes, El Emam says. "Research is only one part of the ecosystem," he says.
In the interview, El Emam also discusses:
- The challenges healthcare institutions and other organizations often face in de-identifying patient data that's used for secondary purposes;
- The pros and cons of two methods of data de-identification currently permitted under HIPAA: the "safe harbor method" and the "expert determination method";
- Emerging advancements in methods and technologies used to de-identify patient data.
El Emam is a senior scientist at the Children's Hospital of Eastern Ontario Research Institute and director of the multi-disciplinary Electronic Health Information Laboratory team, conducting academic research on de-identification and re-identification risk. He's also founder and CEO of Privacy Analytics Inc. , an enterprise software and services firm for safeguarding data used for secondary purposes. Previously, El Emam was a senior research officer at the National Research Council of Canada. He also served as the head of the Quantitative Methods Group at the Fraunhofer Institute in Kaiserslautern, Germany.