Healthcare data is very contentious and has become even more so with the advent of electronic records. There is mostly a universal agreement that the health record of the patient is a “patient health record” and is therefore owned by the patient. In this context Dr Muthu Krishnan, Chief Digital Transformation Officer, IKS Health looks at certain aspects pertaining to patient health data management for healthcare organisations: ownership, usage, storage, legality, and their ramifications, individually
India is fast adapting to the digital revolution in healthcare. The pandemic has reinforced the need to intensify India’s need to build-up a stronger and more reliable healthcare system. Although, global healthcare systems have adapted to and taken this journey a couple of decades ago and are now moving from digitisation towards “digitalisation”. These organisations are enhancing their adoption of digital technologies by embracing best practices in the use of technology from the front office through the middle office and to the back office for all operational, support and care delivery applications and data management.
The Indian healthcare network delivers care to an expanse of socio-economic landscape, that is also geographically diverse. This impacts the quality of healthcare thus creating the need to put in place a mechanism that promotes digital adoption, leading to improved synergy in processes thereupon impacting the quality of healthcare delivery. Although, in effect, the urban Indian healthcare organisations have taken deliberate steps towards enhancing digital integration of patient data, the new national healthcare promise necessitates big data integration. As India takes the big leap towards handling complex data sets, especially from new data sources, the big question at the moment is the responsibility, and the implications of storing the data. In this context it is pertinent to look at certain aspects pertaining to patient health data management: ownership, usage, storage, legality, and their ramifications, individually.
Ownership of the data
Healthcare data, more specifically Electronic Health Records (EHR), are considered private and are subject to privacy and data security laws. Both these impact how the data is stored and shared or used. Healthcare data is very contentious and has become even more so with the advent of electronic records. There is mostly a universal agreement that the health record of the patient is a “patient health record” and is therefore owned by the patient.
It is useful to review how this data could be used and thus be transferred to various ‘users’ or ‘reviewers’:
- By the patient so they can learn and carry their health data for continuity reasons
- By the physician so they can provide the right level of care and exchange the necessary health data with other clinical collaborators for the patients health both to ensure clinical or medical care coverage and to ensure patient adherence to clinical advice
- Labs and imaging centers so they can determine whether results are within or outside acceptable parameters
- Health insurance companies that want to assess whether the right level of care was provided and if they should pay for it
- Pharmaceutical companies need patient health data for drug discovery and clinical trials
- Life insurance companies need access to patient health data for underwriting coverage for life insurance
- Marketing to the patient, directly or indirectly, for everything from daily consumable supplies to insurance to medicines
The patient’s health data ‘moves’ from one place to another for a variety of reasons, and it does not remain in the custody of the patient in continuity, while the ownership of the data continues to be with the patient. The data that is in the patient health record is the cumulative effort of various parties in providing and managing care for and of the patient. Therefore, one could argue that the entirety of data should be under the “ownership” of the patient in full and in a form that is readily shareable and usable for any ongoing care, while ensuring the integrity of the data is maintained. Typically, this could be for one’s own use or for the data to be made available to another person or entity to help make medical determination as in the case of a specialist referred to be a primary care physician, at will. Data for use by any “authorised user” should have limited rights to use of the data that they are authorised to see. For example, someone collecting payment from a patient does not need medical / clinical data. Or, someone reviewing a health record to help the patient conform and adhere to medical advice should not be able to edit it. Effectively, this means that the permission to access specific data for a specific purpose for a defined time period is given to the “authorised user” without change of ownership of the data, irrespective of where it rests.
Use of data
Once the data is captured and stored with the “authorised user”, data can be used in one of the many direct or indirect healthcare settings. For instance, data could be used in the aggregate for analytics. Unless explicitly authorised no data should be used with explicit user identity. In cases where Personally Identifiable Information (PII) is needed for continuity of care, prevailing interoperability protocols for sharing of clinical data must be used. If data is authorised for use it should be explicitly specified if the data can be “identifiable” or “non-identifiable” before the data is shared. The generally accepted norms of de-identified data are similar to how financial data security is treated, but with additional nuances, as specified under national laws. Two popular mechanisms – “Safe Harbour” and “Expert Determination”, are most commonly used methods for determining if the data is de-identified appropriately.
Artificial Intelligence (AI), Machine Learning (ML) and Natural Language Process (NLP) all use data. The use of the patient data for any AI, ML and NLP does not allow technology companies to use patient data at will without prior authorisation. A number of population health companies that provide “managed care” and companies that provide disease specific technologies should be careful not to reveal PII unless needed to deliver care. Patients and their authorised users must be careful and treat health data as financial data to avoid data and identify hijacking.
Storage and movement of data
Irrespective of where or how the data is displayed, data should be stored and moved in encrypted format. While data encryption can be done at the software level, storing in an encrypted disk is robust and reliable; and data should only move over encrypted networks.
Healthcare companies that require storing and accessing patient data need to fortify their data security and accessibility provisions. Mobile access to data must ensure that the devices have the right data policies and may have to think about putting in place the right Mobile Device Management policies. Patients and authorised users must ensure that mobile devices are not open to access without the right credentials. Storage in mobile devices should be properly encrypted and authorised.
Considering we deal with a lot of paper records at present, organisations must ensure any paper record is properly matched to its right digital owner. Applications should ensure that the right information is displayed and there is no risk of wrong data being read or written (such as, different patient data being presented besides the one that was requested). All data requests should be authorised, accessed with proper credentials and must be logged for read and write irrespective of who the user is.
Organisations must be aware that network security, protection from viruses and multi-factor authentication are good security protocols to follow. Authentication allows the user to access the system where the data is stored, authorisation permits the user to access the data. Successful authentication and authorisation are both required to allow the right level of access to the right data. Every organisation must put in place the controls and reporting structure to ensure compliance and to be equipped to handle any breach quickly and safely.
Depending on the national laws, lack of attention to security and data privacy laws may result in very expensive remediation. If the organisation deals with patient data, they should consider having a Chief Compliance Officer and a Chief Information Security Officer. Every organisation must ensure a data ombudsman to ensure that data security questions and issues are handled quickly, transparently and satisfactorily with the affected parties and any government agency as needed. Organisations must be mindful of any public fallout in instances of data breaches, and work to reinstall confidence among the users. As security technology advances, organisations should continue to improve network and data security. They should maintain continuously updated Standard Operating Procedures (SOPs) and protocols to ensure user data security requirements are up-to-date and are able to recover securely in case of adverse events.
Digitisation of patient records in healthcare cannot be denied or postponed, the urgency to have the machinery in place is now. Data helps in decision making — properly designed systems will allow in improving outcomes, research and so on. Timely accessibility of data can improve health outcomes. Transportability or simply portability of health data makes it easier to share data between physicians and other care providers, thus curtailing the need to physically carry records or limited records due to accessibility. This also means that data availability can reduce the cost of care by avoiding costly duplicate tests. Electronic data helps with traceability through “bread crumbs” with proper logging of access. The future of data use is broad, deep and extensive, ranging from actual patient care, paying for care, research and a lot more. It is therefore paramount that organisations ensure that they put in place measures that instill confidence about its commitment to the privacy and security of data across the spectrum of users that own, edit, create, review and use the data.
As India takes up the opportunity to digitise patient records, it must prepare to accept the tremendous responsibility of data privacy and security. Healthcare organisations need to be vigilant, and mindful of the power that patient health records carry in helping healthcare become more efficient and personalised. With the right technology solutions, even this colossal task can be accomplished.