“Big Data” Privacy and Security Challenges Under HIPAA/HITECH

The four part HC Topics Series: “Big Data” examines the evolution and utilization of big data in the healthcare industry, and its potential effects on various aspects of healthcare delivery in the U.S.  Part I reviewed the history and evolution of big data in healthcare.  This second installment will address the utility and barriers to the use of big data within the context of the Healthcare Insurance Portability and Accountability Act (HIPAA) privacy rules and the Health Information Technology for Economic and Clinical Health Act (HITECH).  Subsequent installments will discuss the regulatory and reimbursement drivers and barriers to the utility of big data as well as the implications of big data for healthcare stakeholders.

As noted in the first installment of this series, the definition of big data is “…datasets whose size is beyond the ability of typical database software tools to capture, store, manage, and analyze” [emphasis added].1  By definition alone, the sheer size of big data presents a challenge to stakeholders wishing to utilize it. Rapid changes in information processing and storage have both helped and hindered this growth in recent years, by increasing data storage capability while simultaneously requiring changes and shifts in information technology infrastructure to adequately leverage this data.2  Maintaining management oversight and security over such large datasets also poses a daunting problem for stakeholders, as well as acquiring the appropriate personnel who are qualified to handle such a task.  Of note is that, from 2007 through 2011, while all healthcare jobs grew by nine percent, growth in healthcare informatics jobs quadrupled.3    However, outside of the inherent challenges associated with the size, storage, and management of big data, it is pertinent to inquire as to whether it is possible to uphold the privacy of medical data without sacrificing or limiting the utility of these datasets.

Maintaining the privacy of Protected Health Information (PHI) under HIPAA is a concern for several healthcare stakeholders with regards to the use and application of big data.  The healthcare delivery system often works in silos, with fragmented data scattered across competing enterprises that impedes the coordination and integration of care due to challenges with data availability and sharing.4  Under the HITECH Act, providers must implement an electronic health record for patients using systems and technology that will facilitate the continuity of information among different providers, while utilizing technologies that adequately protect patient privacy.5 As providers strive to implement electronic solutions to comply with HITECH regulation, electronic data infrastructure will require the capability to handle both the storage and management of large amounts of data.6  The variability in electronic systems may also pose problems in regards to both sharing and continuity of information across different health systems and provider enterprises. Additionally, ensuring that privacy and security is maintained in analyzing such massive datasets, as required under HIPAA/HITECH, could prove problematic,7 particularly for cloud companies under the recent changes to HIPAA rules for business associates (see Health Capital Topics article “HIPAA Series Part II: Effect on Business Associates”). 

Since the U.S. Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) initiated enforcement activities with respect to HIPAA compliance in 2003, almost 20,000 cases have been investigated and subsequent breaches were found.  Among the top five compliance issues cited since the initiation of the above enforcement activities include: impermissible uses and disclosures of PHI; lack of safeguards of protected health information; and, lack of administrative safeguards of electronic protected health information.8  Although there are potential benefits to the use of big data to help bridge certain gaps in healthcare delivery, e.g., exporting data into databases for public consumption, and the transfer of PHI between healthcare entities, stakeholders must consider and safeguard against potential pitfalls and breaches in HIPAA compliance associated with increases in size and rates of protected information transfer and sharing.9

“Big Data: The Next Frontier for Innovation, Competition, and Productivity”, by James Manyika et al., McKinsey Global Institute, May 2011, p. 1

“Challenges and Opportunities with Big Data”, by Agrawal et al., Computing Research Association, February 2012, p. 8-9

“A Growing Jobs Sector: Health Informatics”, by Jobs for the Future, June 2012, p. 1

“Big Data is the Future of Healthcare”, by Bill Hamilton, Cognizant 20-20 Insights, September 2012, p. 5

Section 3002 of the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5 (February 17, 2009), STAT 234-235

“Building Healthcare Big Data Security Best Practices”, by Bill Kleyman, Health IT Security, March 19, 2013, http://healthitsecurity.com/2013/03/19/building-healthcare-big-data-security-best-practices/ (Accessed 6/13/13)

Ibid, Bill Hamilton, September 2012, p. 5

“Health Information Privacy: Enforcement Highlights”, by U.S. Department of Health and Human Services, May 8, 2013, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html (Accessed 6/13/13)

“The Big-Data Revolution in US Health Care: Accelerating Value and Innovation”, by Basel Kayyali, David Knott, and Steve Van Kuiken, McKinsey& Company, April 2013, p. 6

Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner