The Security-Utility Balance and Healthcare Data

When you visit your doctor, chances are you could pay a copay or coinsurance bill with a credit card saved on your smart watch. Odds are, however, that your doctor has no way of obtaining and analyzing all the health data that the watch collects about you, even though it could contribute to revolutionary diagnostic and treatment advances.

There are likely a number of factors that have led to this scenario, where certain kinds of data (e.g., financial) are readily usable, but others (e.g., medical) are not. A factor contributing to medical data lagging behind other kinds is the design of the Health Insurance Portability and Accountability Act of 1996, commonly known by its acronym HIPAA. That legislation contained critical, landmark protections for patient privacy, but did not, however, preclude compliance with its terms by siloing health information, leading to healthcare data balkanization.

A custodian of personal health information (PHI) knows that if she keeps data in a format that is interoperable and transmissible, she risks liability under HIPAA if important safeguards are not taken. Such safeguards might include, for instance, investing in sophisticated encryption mechanisms for which the custodian is unlikely to be reimbursed. By contrast, a way to stay away from HIPAA liability with minimal cost is to make the PHI inaccessible to other people and systems, even when they have legitimate uses for that data. The problem is that such inaccessibility inhibits the ability of technology to live up to its full potential in the medical sector, leading to suboptimal outcomes for patients.

One provider or facility’s PHI on a patient — let alone information from less traditional sources, like wearable devices — is not accessible to another. This absence of interoperability leads to waste and errors. There are instances where the effects of data balkanization are mitigated, such as where providers are part of the same health system that uses a common electronic medical record (EMR), but data from countless sources outside the system are not commonly incorporated to help a practitioner to develop a full picture of a given patient’s circumstances. The health system’s EMR is the exception that proves the rule, as patients are likely to have copious healthcare data residing outside the systems’ EMR.

The 21st Century Cures Act of 2016 (The Cures Act) represented an effort to deal with PHI balkanization by empowering the Office of the National Coordinator for Health IT Information (ONC) to promote standardization of healthcare data, a precursor to interoperability. The Cures Act prohibits a covered “actor” from committing “information blocking” by inhibiting access to certain electronic PHI. In simple terms, HIPAA protects the confidentiality of certain health information, and the Cures Act prohibits achieving HIPAA compliance by unwarrantedly siloing the data.

The Security-Utility Balance and Healthcare Data

Source: Adapted from Healthcare Compliance Pros, “The Information Blocking Rule 2022: What Healthcare Providers Must Know.”

At Pearl Health, we develop secure technological solutions that empower providers to review, process and analyze vast amounts of clinical data from various sources. We welcome the ONC’s efforts under the Cures Act to standardize PHI so that it can be a valuable, albeit protected asset, for improving health outcomes, rather than a potential resource left squandered.

Jon Goldin

Chief Legal Officer, Pearl Health