This past week, hundreds of health care information technology (IT) stakeholders descended on Arlington, Virginia to attend the Workgroup for Electronic Data Interchange’s (WEDI) 2019 winter conference. WEDI brought together doctors, hospitals, health plans, laboratories, pharmacies, clearinghouses, dentists, vendors, government stakeholders and more.
In case you were not able to attend, here is a recap of the key topics discussed:
Dr. Donald Rucker, the National Coordinator for Health Information Technology at the Office of the National Coordinator for Health IT (ONC), delivered opening remarks on interoperability. He underscored that there should be no data blocking and that patients should have access to their data. As for pain points, he said, “Prior authorization needs to be addressed, as it is not an efficient process.” Data needs to be computable, not just served in a document. He added that we need “actual transmission of data” in order to automate.
He ended by saying application programming interfaces (APIs) are the “modern economy.” In order to actualize this, he implored stakeholders to remove “clumsy” and “unnecessary” data. He also suggested utilizing real-time data and imaging data.
Elisa Jillson, an attorney in the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection, discussed the FTC’s approach to health privacy in a changing technological world. She started the conversation by discussing the FTC’s Health Breach Notification rule. Under this rule, there are three types of covered entities: vendors of personal health records (PHRs), PHR-related entities, and third-party service providers. She cautioned that Section 5 authority of the FTC Act extends to both HIPAA and non-HIPAA covered entities. In addition, she advised that if an organization is interested in sharing consumer health information, they must look to HIPAA and the FTC Act.
As far as mobile applications are concerned, she has noticed increased use by both providers and consumers. She expects even greater use by 2026. In a similar vein, with the increased use of DNA testing kits, she urged organizations to consider the privacy implications, as DNA testing kits share the DNA of every relative of the submitter.
Deidentification and Reidentification
Daniel Barth-Jones, an infectious disease epidemiologist at Columbia University, discussed the types of deidentification and the dangers of reidentification. He started his session by discussing the societal value of deidentified data. He identified quality improvement, fraud detection, patient safety, statistical analysis and privacy as benefits. He then cautioned against the misconception that the encryption of data is not deidentified data and is not suitable for data masking.
He acknowledged there is risk to HIPAA expert determination conditions but that the risk is very small. Scientists have demonstrated that they can often reidentify or deanonymize individuals hidden deidentified data. Using just zip code, birth date, and gender, 63% of deidentified data can be reidentified. Jones said the reality is, “Perfect deidentification is not possible. It does not free data from all possible subsequent privacy concerns. Data is never permanently deidentified.”
To mitigate against this risk, he advises reducing key resolution by reducing the number of quasi-identifiers. He also advises increasing the population sizes of geographic reporting units. For example, allowing a three-digit zip code rather than five digits. In addition, increasing the population size decreases the probability of an individual being unique within reporting. He warned poorly conducted de-identification can lead to “bad science” and “bad decisions” but ended by saying successful solutions preserve the privacy of individuals.
Kevin Deutsch and Justin Petragnani with Charles Stellar, President and CEO of WEDI. Softheon received the Outstanding Corporate Sponsor Award, which recognizes a vendor who has served as a strong champion in health iT through their continued commitment to WEDI’s sponsorship programs.