Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Big Data in Health Care:
Rewards and Risks
Daniel J. Weissburg, JD, CHC, Privacy Officer, UW Health
Molly R. Berkery, JD, MPH, Godfrey & Kahn, S.C.
Outline
Big Data in Health Care
Impetus
Benefits & Potential Outcomes
Research and Development Initiatives
Regulation
Challenges
Impetus for Big Data in Health Care
Impetus
United States Health Care Costs
Per capita national health expenditures: $9,255 (2013)
Total national health expenditures: $2.9 trillion (2013)
Total national health expenditures as a percent of Gross Domestic Product: 17.4% (2013)
Health care delivery
Fee-for-service -> value-based
Clinical trends
Pharmaceutical and medical device industry
Potential monetary value to the US health care system
Centers for Disease Control and Prevention, Health Expenditures, 2013.
Potential Benefits & Outcomes of
Big Data in Health Care
Benefits of Big Data in Health Care
Increase transparency
Improve patient outcomes
Nuances in subpopulations may be so rare that they are not readily
apparent in small samples
Predictive analytics
Reduce health care costs
Research and development
Pharmaceutical and medical device industry
Smart phone applications
Examples of Early Successes
The University of Ontario’s Institute of Technology developed predictors of the onset of nosocomial infections of neonatal intensive care newborns.
Brigham and Women’s Hospital in Boston developed standardized knee joint-replacement surgery.
Kaiser Permanente connected clinical and cost data leading to the discovery of adverse drug effects and the subsequent withdrawal of the drug Vioxx from the market.
Johns Hopkins School of Medicine - data from Goggle Flu Trends allowed prediction of surges in flu-related emergency room visits a week prior to other sources.
Research and Development
Initiatives
United States Office of Science and
Technology Policy (OSTP)
Goal: Make the most of the fast growing volume of digital data.
Transform the use of big data for scientific discovery.
Environmental/Biomedical research.
Education and national security.
Six federal departments and agencies committed $200M:
To advance, analyze, and share big data.
To harness the technology to increase discovery rates.
To expand the workforce using and developing these technologies.
Innovation
GPS-enabled asthma inhaler
GPS-enabled tracker that records inhaler usage by asthmatics (data merged with
CDC data on asthma catalysts to assist with the development of personalized
treatment plans and spot prevention opportunities).
Behavioral health smart phone app
Ginger.io uses information from a patient’s smartphone app to help providers
manage patient care and detect changes in behavior and health.
Physical activity tracker – the new medical device?
Spire – an app that senses and tracks physical movement, position and breathing
patterns to help individuals boost activity, relaxation and focus. Spire has
considered getting FDA approval as a true medical device.
Regulation of Big Data
Regulation of Big Data
Is health care behind in the big data revolution due to regulatory hurdles?
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
Breach Notification Rule
Blanket prohibition on the sale of PHI (with specific exceptions)
Prohibition of compound authorization (with specific exceptions)
De-identification requirements
The Health Information Technology for Economic and Clinical Health (“HITECH”)
Increases the scope of privacy and security of health information under HIPAA.
Increases the potential legal liability for non-compliance and provides more enforcement of HIPAA rules.
Regulation of Big Data
Affordable Care Act
Meaningful use incentives
“[e]lectronically capturing health information in a standardized format” and “[i]nitiating
the reporting of clinical quality measures and public health information.”
“rigorous health information exchange,” “[e]lectronic transmission of patient care
summaries across multiple settings,” and "patient-controlled data.”
“access to comprehensive patient data through patient-centered [health information
exchange].”
Regulation of Big Data
Other legal considerations
Mobile health uses of big data and FDA regulation
Genomic and biometric big data
Health insurance and discrimination
Government use of big data
State law considerations
Ethical considerations
Research ethics
Challenges
Compliance Challenges
Technical
Institutional
Operational
Legal
Data Breaches
Not a new issue
Growing level of patient awareness & fear
Cyber-risk liability and insurance
Privacy/Security issues
Lack of safeguards of protected health information.
Lack of administrative safeguards of electronic protected health
information.
Use of public cloud services.
Largest (Health Care) Breach
- Office for Civil Rights, US Dept. of Health and Human
Services
Top 10 Health Care Provider Breaches
Top 10 Health Care Provider Breaches
New York Presbyterian
Hospital/Columbia University
College of Physicians and Surgeons
A CASE STUDY
NY Presbyterian/Columbia
Columbia University College of Physicians and Surgeons:
655 Students
$1.46 billion annual budget
$1.6 billion endowment
First MD graduate in 1769
New York Presbyterian Hospital:
2,478 beds (six locations)
$4.3 billion annual revenue (2013)
6th on America’s Best Hospitals (U.S. News)
NY Presbyterian/Columbia
Physician had a personally-owned computer server on
the network containing NYP patient PHI.
Due to a lack of technical safeguards, PHI was accessible
on internet search engines, including Google.
An individual found the PHI of their deceased partner, a
former patient of NYP, on the internet and complained.
Breach report to HHS – Office for Civil Rights (OCR)
regarding the disclosure of the PHI of 6,800 individuals,
including patient status, vital signs, medications, and
laboratory results.
NY Presbyterian/Columbia
Neither entity:
made efforts prior to the breach to assure that the network was secure and that it
contained appropriate software protections.
had conducted an accurate and thorough risk analysis that identified all systems
that accessed PHI.
had developed an adequate risk management plan that addressed the potential
threats and hazards to the security of PHI.
NYP failed to implement appropriate policies and
procedures for authorizing access to its databases and
failed to comply with its own policies on information
access management.
NY Presbyterian/Columbia
NYP and Columbia agreed to settle charges that they
violated HIPAA
NYP paid $3.3 million
Columbia paid $1.5 million
LARGEST HIPAA SETTLEMENT TO DATE
(5/2014)
NY Presbyterian/Columbia
Both NYP and Columbia agreed to a 3 year Corrective Action Plan, which includes:
Undertaking a risk analysis
Developing a risk management plan (submitted to the OCR for approval)
Revising policies and procedures (submitted to the OCR for approval)
Training staff (within 30 days and annually)
Providing incident and annual progress reports to the OCR
Deep violation of patient privacy
Massive reputational harm to both entities
High cost of privacy/data security compliance, on a compressed time table
“Strategic Prosecution”
Data breaches are a risk for all “HIPAA Covered Entities.”
But if you are big, famous and renown, with words like
“University of Wisconsin” in your name……
High profile means big headlines, and big headlines have
big impact, and big impact is what government enforcers
want.
Wisconsin
Wisconsin
Wisconsin
Additional Security Concerns
Cyber-attacks – the number one cause of data breaches,
and typically multi-staged attacks.
Cloud computing begins with social engineering.
Questions
Contact Information
Daniel J. Weissburg, JD, CHC
Compliance Officer - UW Hospitals
Privacy Officer - UW Health
University of Wisconsin Hospitals
and Clinics Authority
Molly R. Berkery, JD, MPH
Attorney
Godfrey & Kahn, S.C.