Agencies Explore Policy Barriers, Synthetic Data to Maintain Health Care Privacy

Ensuring data security while keeping critical health care information flowing across agency networks continues to be a major challenge amid evolving security threats. Certain policies can make it more difficult for organizations to move patient data in a secure and private manner.

Elisabeth Meyers, deputy director of the Office of Policy at the Office of the National Coordinator for Health Information Technology (ONC), said that agencies have the technology moving in the right direction, but there are still policy barriers to overcome.

“The policy barriers are that we often find that the perceived risk of privacy is overtaking the very real risk of not being able to share data accurately for care. So, there is a real privacy risk that is realistic. We know that that exists,” Meyers said. “But very often, the perception of technology being new or different in health care is overtaking that and putting barriers in place … when we could be more freely aggregating data and sharing data in a useful way for care coordination, research, public health and closing that circle of how that data works together.”

Ed Macko, global vice president and general manager for healthcare and life sciences at IBM, said that organizations do have to follow policies that are put in place, however these systems still need to be trusted and transparent.

“Understand that the systems have to allow for fine-grained access so people can actually see the information they need to see but block it for people who don’t need to see it,” said Macko. “These systems have to be configurable to say, ‘Hey, there’s a position that wants to look at the data that may be allowed to do that, but there’s others that don’t.’ And then masking all that personal health information just in general because you want that to be protected.”

There has been a progression from the level of trust between health care systems to apply these aspects of the policy with the viewing systems.

Dr. John Scott, the acting director of data management and analytics at the Veterans Health Administration, said the agency has spent the past decade building trust between health care systems by applying Health Insurance Portability and Accountability Act (HIPPAA) principles.

“The health information exchanges that DOD and VA and others participate in are based on that fundamental trust embodied in [the Trusted Exchange Framework and Common Agreement (TEFCA)] that the other agencies’ employees are going to follow the HIPAA principles, to be allowed to share in the health information exchanges was to get the people whose job is accountability for HIPAA or the A is accountability to trust this,” said Scott.  “How this actually helps us meet the minimum use principle rather than send the entire set of documents between two health care systems. The users of this only need to look up the information they need. We’ve pretty much got that working in health information exchange.”

Synthetic data could be beneficial to agencies when it comes to improving privacy practices and advancing medical research.

The National Institutes of Health (NIH) is one of several agencies using the synthetic data model. According to Vivian OTA WANG, lead for policy, ethics and COVID activities in the Office of Data Science Strategy at NIH, synthetic data is a way of not using the actual data that has been collected, but to actually make a version that processes enough of the information so that people are not identifiable. This way the data still has the characteristics that can be useful in building the algorithms.

“It really addresses a lot of the concerns we have about the informed consent around privacy. But there are downsides. It’s synthetic. And how do you actually know it truly reflects phenomenon of what you’re actually going to do and want to investigate?” OTA WANG said. “Because it’s synthetic, it opens up a lot of, I think, the venue for imagination and the possibility that you aren’t necessarily constrained using full human data. So given that it can make your imagination go wild as well, you need to have safeguards around using synthetic data.”