4

Data Policies and Other Data Infrastructure Considerations

This chapter summarizes the workshop discussions centered on data policies and other data infrastructure considerations. Speakers in this session were asked to focus on the questions below. The chapter concludes with the committee’s conclusions.

• What data policies are likely to be most relevant for the patient-centered outcomes research (PCOR) data infrastructure looking forward?
• What role can the Office of the Assistant Secretary for Planning and Evaluation (ASPE) play in supporting these policies for PCOR studies?
• What characteristics of HHS’ public mission, programs, or authorities could be leveraged?

Pamela Riley, District of Columbia Department of Healthcare Finance, discussed policy considerations to support PCOR on the social determinants of health (SDOH). She focused on ways to address unmet social needs in health care systems and health care settings in order to improve health care delivery. This includes addressing basic resource needs both in the clinical setting and at an individual patient level, as well as using data to address population health issues. Riley noted that the District of Columbia Medicaid agency is currently working to help develop a community-level social needs screening referral and resource inventory and is also working on ways to support data collection, sharing, and use to improve clinical care delivery and population health.

Riley emphasized the importance of being aware of considerations specific to data on SDOH, including sensitivities around data collection, such as the issue of what the data are going to be used for. She noted that collecting data on social needs, such as whether a person has enough food to eat or has unmet financial needs, can be particularly sensitive from the perspective of those who are being asked to provide the data. Because of this, it is important to think about best practices for collecting these types of data to assure that the information is complete and can be reliably used to inform practice. Riley highlighted the related need to involve stakeholders at both the community and patient levels, as well as the need for transparency, noting that lack of trust often hinders efforts of this type and that involving stakeholders could potentially help address this. It is necessary, she said, to engage people, patients, communities, and other stakeholders every step of the way in designing and implementing data collection approaches and research strategies that people are actually onboard with and that will be reliable and useful.

Riley also noted the importance of considering ahead of time how the data will be used. Is it to inform clinical care delivery? Is it to inform population health at the health-system, national, state, or local level? Is it for academic research? The uses of the data need to be considered when thinking about policies around data infrastructures. A related consideration is what specific data are needed depending on the intended purpose. For example, what data does a hospital need in order to evaluate community-level interventions? What does a state need for planning purposes?

Data sharing was another topic discussed by Riley. Approaches to data sharing need to consider the sensitivities, and balance the need to reduce how many times people are being asked to provide the same information with the need to ensure that those who provide the data have confidence in giving permission for the intended uses, which could range from improving their own care to fulfilling a broader purpose.

In terms of interoperability and combining data from multiple data sources, Riley argued that clinical claims data that are being collected from nonclinical entities is one area that represents a challenge.

Concerning consent management, Riley considered this to be an area whose challenges need to be addressed in a systematic way that is broadly applicable. This is particularly important if the goal is to support whole-person studies that include data on physical health, SDOH, and behavioral health. She argued that an infrastructure needs to be put in place for consent management, to facilitate best practices in data sharing for research, and to improve patient care.

Riley pointed to a particular need to identify best practices that work at the local level, because data collection, data sharing, and interventions often have a local focus. She also emphasized the need to develop an

infrastructure for data collection by nonhealth care entities. Community-based behavioral health providers and mental health and substance abuse disorder providers, she said, are especially likely to be lagging behind in their capacity to implement electronic health records. Community-based organizations, in general, would benefit both from being able to participate in health information exchanges and from being able to share data in a standardized way.

Touching on the role of the federal government, Riley said there is a need to build an evidence base for what works. There is room for a federal voice in this, she argued, specifically concerning interventions that work to address SDOH related to health care delivery, what works to address needs and in what settings, and what works among which populations. There is also a need to better understand what data collection approaches are most effective in obtaining complete, reliable data. Related to that, there is a need to understand what gives people confidence and comfort in how the data will be used so that they are willing to share the information. More broadly, there is a need for an infrastructure that facilitates the involvement, at every step of the way, of those who are providing the data.

Abel Kho, Northwestern University, argued for a need to improve the quality of the identifying information being collected, something particularly important because the need for record linkages is becoming increasingly common. As an example, Kho mentioned the use of speeding cameras by the police and how that information is linked to other databases before a speeding ticket is mailed. He also discussed the City of Chicago’s use of Clearview AI for facial recognition, which has then been linked to additional data sets to identify potential criminal activity. Kho said that the use of these technologies raises questions that also have implications for health research. For example, in Chicago, areas with high crime rates also have high rates of chronic disease. Kho echoed Riley’s points related to being thoughtful about why the data are collected, who they are collected from, and what the needs of the communities are. He also emphasized the need for community input on data collection, for example in the case of whether and where to use street cameras.

Kho noted that the way people identify themselves impacts researchers’ ability to perform record linkages. He said that it is important to consider not only the implications of research bias, but also social bias. For example, gender information has historically not been considered useful for record linkages, because this information typically has binary values in electronic health records. However, the concept of gender identity has changed dramatically over the years, and it is now considered to be a much more complex construct. Data systems are not set up for capturing a lot of this information yet, but Kho said that collecting detailed data that reflects how people self-identify is important for a variety of reasons,

including understanding their sense of self-identity and to avoid discriminatory practices.

Those who are interested in data need to be thoughtful about identity concepts, which are evolving and are shaped by the social context, Kho argued. The information available in health records to identify a person for the purposes of record linkages is also constantly changing. While binary gender is captured in virtually all electronic health records, Kho and his colleagues have been noticing an increase in the availability of data on sex assigned at birth and sexual orientation. They also found that social security numbers are less and less likely to be available in electronic health records, while email addresses are increasingly available, and are becoming more useful for record linkage. Other types of information that might be captured and useful for record linkages include driver’s license images and information about the person’s occupation. Kho said that the latter is largely driven by COVID-19. He argued that it is important to think about how to balance considerations such as privacy versus a “big brother” approach, or category labels versus self-identity, in a dynamic, constantly shifting environment.

In Kho’s view, the data available today are subject to historical and social biases, even as the data and identities themselves are constantly changing. Therefore, it is necessary to understand when and how the data were collected. Kho said that policies can help with data hygiene, that is, with standardizing data collections, which is easier to do than addressing data bias. He underscored that data bias is not solely a technical issue. To address it requires engaging stakeholders early and often, particularly among at-risk or hidden populations.

Julia Adler-Milstein, University of California, San Francisco, focused her remarks on the need to use policy levers to advance interoperability, which she described as applicable to many of the topics discussed throughout the day, including data standards, consent management, approaches to identification and patient matching, governance, and incentives to share data. She said that the main lesson from her work in this area is that meaningful progress cannot be made on interoperability if policy efforts, and in particular federal policy efforts, are limited to convening activities. She argued that there is a need for policy actions to address some of the market failures, in particular the lack of incentives to invest in the types of infrastructure discussed throughout the workshop. While recognizing that policy is a blunt instrument, Adler-Milstein said that the types of policies the federal government and states need to focus on are those that create strong incentives to engage in interoperable data sharing.

Although many capabilities have been developed for interoperability supporting PCOR, Adler-Milstein argued, the challenge remains getting those capabilities adopted at scale. She said that to facilitate such adoption,

there is a need to measure and incentivize conformance to existing standards. An example, she mentioned the patient-reported outcomes Fast Healthcare Interoperability Resources implementation guides. These standards are available, but they are not federally required, and there are no test tools that would make it possible to determine whether someone is actually conforming to the standards.

Adler-Milstein also discussed the United States Core Data for Interoperability (USCDI) as a policy vehicle to promote scale. USCDI is a set of data elements that health systems must make available through an application programming interface (via their electronic health records), and that set of data elements will, by definition, expand over time. Thus, Adler-Milstein said that data that are included in USCDI are expected to become available at scale. She added that the data also need to conform to specified standards, but that it is not clear to what extent this will be measured and enforced. Without such measurement and enforcement, there is a risk that a lot of manual work will be required to make use of the data, despite widespread availability.

Adler-Milstein provided several examples of how the framework she suggested could work in several domains. In the case of patients, robust identity data are needed, because when these data exist and they are con-formant, it is possible to perform data matching across sources. Demographic data exist within USCDI, and they have been part of the first wave of required data elements. What is needed now is ongoing conformance assessment and incentives to address poor conformance.

On the patient-centered side, there is a need to support efforts that advance robust identity matching across data sources, in part to overcome the challenges posed by data fragmentation, but also to address the need for longitudinal data. Some examples of projects that are targeting identity matching to support more comprehensive and longitudinal data are Gravity and the Da Vinci Payer Coverage Decision Exchange. Adler-Milstein argued that the first step toward developing policies that support scaling PCOR activities would be to identify which use cases are important to prioritize. In turn, this would facilitate adding patient-centered outcomes data that support those use cases into USCDI.

Deven McGraw, Ciitizen, provided an overview of the existing privacy laws that govern how data are accessed, used, and shared for research. The four laws that are most relevant are

1. The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
2. “Part 2”, which relates to regulations on substance abuse data confidentiality.

3. The Family Educational Rights and Privacy Act (FERPA), which covers educational institutions.
4. The Privacy Act, which covers federal government data resources.

In the case of some entities, more than one of these laws might apply.

McGraw said that HIPAA has the most impact on PCOR data. She noted that HIPAA does not cover all health data, only the data of covered entities and their business associates. This coverage, however, is broad, and it includes most doctors and hospitals, health plans, and contractors. Exceptions might be some doctors practicing concierge medicine and some mental health professionals.

McGraw noted that HIPAA only governs identifiable data, which is known as protected health information (PHI). The disclosure of PHI is permitted for uses that fall in the category that combines treatment, payment, and operations. Public health disclosures are included among the permitted uses. McGraw said that in general, HIPAA was designed to enable data flows within a health care system, and data flows that are usual, expected, and customary, but it might be important to disclose only the minimum information necessary, particularly when the data are not used for treatment.

PHI can also be disclosed for research. This use of identifiable data was not considered to be standard and usual, but rather something that would require the consent of the person whose data would be used. However, regulators have recognized that requiring authorization for all research might not be feasible, so provisions exist that allow for a privacy board or an institutional review board to waive the consent requirement. Recent guidance from HHS enables an entity that is covered by HIPAA to obtain broad consent for research, instead of study-specific consent, for future uses of data. There are also provisions for the use of limited data sets, which involves removing some identifying information but allowing some identifying data elements to be left in.

McGraw said that the Common Rule is not included among the laws that govern data disclosure, because the Common Rule is a research ethics rule, not a privacy rule. However, there are many similarities between how HIPAA and the Common Rule govern research uses of data.

Data that are de-identified are not covered by HIPAA, and McGraw noted that it is also typical for privacy laws globally to only apply to identifiable data. One approach to de-identification is the Safe Harbor method, which involves the removal of identifiers that fall into 18 categories. It is also possible to rely on expert opinion (such as that of a statistician) to determine whether there is a risk of re-identification for a particular data set.

McGraw said that the use of data that are not identifiable falls outside of the realm of privacy regulations and that is why this type of data is

widely used in research, but it is also why there is a robust commercial trade of unidentified data. She noted that data that are not identifiable are not aggregated data, but individual-level data that have been stripped of identifiers or manipulated in some other way (e.g., by noise being introduced) to reduce the risk of re-identification. She emphasized that the standard is very low risk, rather than zero risk, and that there are no penalties to protect those data against re-identification.

Some state laws provide stronger data protections than HIPAA, and McGraw said that HIPAA does not preempt such laws. State laws typically govern access to data on minors, with minors in some states holding the right to consent to the disclosure of certain types of data for research, to third parties, or to their parents. Other states have robust consent laws that are not limited to minors, but as with HIPAA, they typically cover only identifiable data.

McGraw also noted that while HIPAA addresses permitted disclosures of data, it does not require the sharing of data for research purposes. However, the new information blocking rules¹ that went into effect in April 2021 create a presumption for sharing electronic health information for any lawful purpose, including research. These rules apply to health care providers, certified electronic health records vendors, and health information exchanges. Initially they will cover the USCDI data elements, but eventually they will cover all electronic health information. The penalties for “blocking” the sharing are up to $1 million per incident for electronic health records vendors and health information exchanges. The providers are referred to the Centers for Medicare & Medicaid Services (CMS) for “appropriate disincentives.” There are eight Safe Harbor provisions that allow an entity covered by these rules to decline a request for data sharing. These provisions are related to concerns such as privacy, security, harm, and infeasibility.

McGraw said that there has not yet been any enforcement since the rules went into effect (approximately 2 months prior to the workshop), and the rules around enforcement are still under consideration. McGraw noted that providers who want to decline a request for data have to attest to CMS that they are not information blocking, and if that claim does not hold up it could result in a False Claims Act penalty.

Another area where there are new developments concerns patients’ rights to their own data. Patients already have the right to their data under HIPAA, but this is now being more robustly enforced. Information blocking rules prioritize access by patients or apps acting on their behalf. There are also provisions to allow people to send data from their electronic health

___________________

¹ For more on information blocking, see https://www.healthit.gov/topic/information-blocking.

records directly to third parties, such as researchers, but these are still pending implementation.

Don Detmer, University of Virginia, shared his views on policy reforms necessary for robust data sharing for PCOR. He noted that HIPAA was passed into law in 1996, before use of the Internet became widespread. Today the use of data for health research is still defined by the rules that were developed based on “pre-Internet thinking,” with some minor regulatory tweaks taking place over the years. Detmer said that while there are some promising developments, it is time to ask whether this system is working.

The societal context today differs from what it was before the Internet. A large volume of new forms of data is available, and there is growing interest in goals such as equity, engaging patients and citizen-scientists, supporting precision medicine, and supporting precision health. Detmer said that continuing to do things within the current framework is going to be less than optimal. He argued that the basic structure for conducting research needs a reset to allow for informed public policy development that addresses new societal desires, with citizen-scientists, patients, and health providers as primary players in the data system, along with covered entities and business associates.

Detmer argued for reviving and enacting the HIPAA changes included in section 1124 in H.R.6, the initial 21st Century Cures Act. The revisions proposed at the time were to expand the access, use, and sharing of PHI from treatment, payment, and health care operations to also include “data research.” In 2015, H.R.6 passed the House by a vote of 344 to 77, but it did not pass the Senate.

Detmer described several current prevailing options for data sharing, clinical registries, and de-identified data sets, each of which he considers flawed. Registries with individuals donating their data are time-consuming to build and maintain and typically do not contain enough information. The aggregating of data sets that are limited to begin with has limited use when diverse data are sought. Using de-identified data poses additional challenges because authentication is difficult or impossible with diverse data sets.

Looking at potential solutions, Detmer wondered whether regulations could allow the use of text or e-mail for the sharing of PHI for research, and in particular the use of text or e-mail for obtaining approval from individuals. This would address the burden and challenges associated with obtaining written consent. He also wondered whether authorization could be created that would allow specified entities, such as the Patient-Centered Outcomes Research Institute, to securely access PHI in relevant databases, without individual consent. Detmer observed that while this is probably not realistic within the current system, it is allowed in some countries. He also suggested developing a system for unique patient identifiers, which becomes

especially important for the use of longitudinal data. Secure options for handling this type of information exist today.

Detmer argued for the need for a National Academies study that would develop a vision and a plan for a sound functional replacement for HIPAA. He mentioned a prior study that could serve as a model.² His desired goals and capabilities for the new framework would include robust system security for all data and “no-questions-asked opt-in” privacy for sharing personal data. He added that the data sharing would assure (1) system trust, (2) compassionate care, (3) scientific health care practice and evaluation for individuals and populations, (4) support for citizen-science and special populations, (5) secure unique personal identifiers, (6) pandemic data fitness and management, and (7) automation of all business operations and other administrative functions to reduce the time investment required.

DISCUSSION

One topic that was discussed by workshop participants in additional detail related to the role of the federal government in incentivizing the adoption of standards and assuring conformance. Participants cautioned about the burden associated with requirements of this type, and the potentially disproportionate burden on smaller health care providers.

A theme that emerged from the discussion was the need to better understand what type of information is truly important to people. Participants discussed projects such as Pastors 4 PCOR that involved community-based organizations to facilitate community engagement in research, identify specific disease priorities, and build trust.

Another topic that was revisited was the desire to link data from different sources and the consent and privacy challenges associated with this. In many cases complications related to consent prevent data sharing and linking, even when people are interested in making their data available for research. There was debate about the extent of public support for the concept of a unique identifier and whether the potential benefits are becoming more widely recognized. Technical solutions, such as tokenization, are creating new options that did not exist before, and this presents an opportunity to reassess these questions in new light.

Participants discussed the need to revisit HIPAA, which was passed in 1996, before the spread of social media, apps that require broad consent for data sharing, and expansive databases that are publicly available or can be purchased. HIPAA, in its current form, is not focused on privacy, and it

___________________

² Institute of Medicine. (1997). The Computer-Based Patient Record: An Essential Technology for Health Care (revised edition). Washington, DC: National Academy Press. https://doi.org/10.17226/5306.

only covers a small slice of health data. Many aspects of the regulation are outdated. Solutions could range from updating HIPAA “at the margins” to comprehensive privacy legislation. Participants commented that ASPE could have an enormously influential role in bringing stakeholders together on this issue.

CONCLUSIONS

This session echoed discussions from previous sessions about the importance of transparency in how the data will be used. Speakers also echoed the need to involve the people whose data are being used, as well as their communities, in decisions at each stage of the process, from data collection through research and dissemination. Building and maintaining trust with those whose data are being sought is essential to ensure that the data obtained are representative, complete, and reliable. This is especially important when the data could be perceived as sensitive, as is the case with some SDOH information.

The workshop made it clear that there are concerns about the laws and rules governing data access and data sharing. HIPAA, in particular, was developed several decades ago, and its approach to setting thresholds for data disclosures makes it outdated. There is a need for a new framework with guardrails that balance the risk of disclosure with the need for research that improves peoples’ health. This includes a need for a critical review of current privacy legislation, an understanding of public perspectives, and the development of recommendations for revisions or reform that would be applicable to the protection of health data in the post-Internet world, with a focus on preventing misuses of the data.