1         Executive Summary

This report addresses privacy and security concerns as well as recommendations related to the application of big data in the healthcare space. The Privacy and Security Workgroup (PSWG) of the Health Information Technology Policy Committee (HITPC) is charged with investigating and providing recommendations to the National Coordinator of the Department of Health and Human Services (HHS) on privacy and security issues related to the electronic exchange of health information. The application of big data in healthcare impacts one of the PSWG’s core values; specifically, that patient needs and expectations should be considered, and that “patients should not be surprised about or harmed by collections, uses or disclosures of their information.”[1]

The collection, analysis, and use of large volumes of data will be a driver in the economy for the foreseeable future. Through the proliferation of software applications and mobile devices, the amount of health-related data is growing exponentially. As the volume, velocity, and variety of data continue to grow, so do the potential risks arising from unknown and inappropriate uses of protected health information (PHI).[2] Many see the application of big data analytics in healthcare as an opportunity to improve the health of both individuals and their communities. Others are concerned about new risks to the privacy and security of personal information.

In response to a charge from the White House to consider the impacts of big data analyses, the PSWG invited relevant experts and interested stakeholders to testify on the opportunities and challenges of health big data, health big data concerns and harms, and the advantages and limits of current laws concerning the use of big data and emerging technologies. The PSWG held a total of three (3) hearings between December 2014 and February 2015, where 21 individuals from across the healthcare spectrum were invited to speak. The invited panelists are leading experts with a diverse perspective on issues related to big data in healthcare, and they represent a wide range of stakeholder groups, including consumer and privacy advocacy groups, consumer-facing enterprises, academia, big data analytics companies, and healthcare delivery systems.

1.1        Opportunities

The collection and analysis of large data sets offers the promise of many improvements in the health environment. Big data is expected to improve our understanding of the efficacy and safety of medical treatments and improve outcomes for the treatment of common diseases.[3] Additionally, big data can help us better understand the performance of medical devices like artificial joints.[4]

The use of big data analytics in healthcare is anticipated to provide both personal and community-wide benefits. On an individual level, big data can advance personalized medicine by providing evidence for vaccine safety and providing insight into which treatments may work best for certain people.[5] On a community level, big data is expected to advance population health and improve community-wide care[6] by understanding how conditions like asthma, obesity, high blood pressure, and diabetes are concentrated in specific communities or grouped by age, gender, or other characteristics.[7] Moreover, big data will continue to enable public officials to identify and track the spread of infectious diseases and respond in a timely manner.[8]

Big data analytics can also support growth of a learning health system, which is “an environment that links the care delivery system with communities and societal supports in ‘closed loops’ of electronic health information flow, at many different levels, to enable continuous learning and improved health.”[9] ONC recently released a draft roadmap for the interoperability of clinical data to support research and big data analyses on the path to achieving a nationwide learning health system.[10]

Finally, data is driving rapid growth in the technology industry, particularly with regard to wearable devices and software applications that track personal health-related information. Although there are “exciting potential benefits” in wearables and other technologies, there are “cautions to be heard and challenges to be overcome.”[11]

1.2        Challenges

The application of big data in healthcare also faces challenges with regard to privacy and security. First, big data is not precisely defined, which makes it more difficult for legislators to enact laws that regulate the collection, use and analysis of it.[DM1] [12] Additionally, in a big data world, almost any kind of data can be health-related data,[13]so laws or regulations that target health data or traditional health care providers, may not regulate certain uses of Big Data for health purposes, such as the use of non-health data to infer health conditions.  Thus, appropriately scoping legislation or regulation is a significant challenge.

Defining privacy harm is a challenge because the concept of harm is often subjective and dependent on context.[14]  Defining acceptable uses of data faces similar challenges.[15]

Challenges with Big Data are also found in the traditional privacy and security protection practice of data de-identification.  While de-identification is a well-established and useful tool for traditional data protection, Big Data introduces new risks of re-identification due to the sheer volume of data and the broad variety of data sources in the Big Data ecosystem..[16]

Data security is also a concern. Security risks have increased with the growth[SC2]  of health-related data and its value to both the health industry and to businesses[SC3] . Security challenges include both internal threats and sophisticated external attacks, such as the recent Anthem breach.[17]

Additionally, algorithms that rely on big data and that are applied to make decisions about individuals, which may shape their behaviors and opportunities, are not well understood by the public. This lack of transparency, which was repeatedly cited as a concern, creates the potential for undetected discrimination to occur, which could reduce public trust in data exchange.[18]

Finally, the current data protection legal landscape is complex and confusing, which is partially caused by both under-regulation and over-regulation.[19] Most health-related data generated today is not regulated by the Health Insurance Portability and Accountability Act (HIPAA), which provides baseline privacy and security rules for covered entities (health care providers, payers, and health care clearinghouses) and their business associates.[20] On the other hand, regulations applicable to research, although well-intended, have posed challenges for researchers.  In addition, patients experience barriers to gaining full access to their personal health information.

1.3        Overarching Themes

During the course of its deliberations on big data, the PSWG identified three overarching themes. First, big data analytical methods are applying pressure on traditional fair information practice principles (FIPPs),[21] which include transparency, individual participation (including consent), data minimization (including collection, use, and purpose limitation), and security. Regardless of these pressures, the FIPPs remain the most flexible, comprehensive, and resilient framework for ensuring the privacy of personal information.[22]

Second, preventing harm in a big data ecosystem will be a challenge, especially when there is a lack of consensus on which uses are “harmful” or “acceptable.” While defining the ends of the spectrum on appropriate use would be fairly straight-forward (ie, uses that are clearly good and uses that are clearly harmful), defining the middle of the spectrum would be very difficult. In the middle of the spectrum, what one community would define as a harmful or acceptable use of data could be different from how another community would define it. Furthermore, the definition of harmful or acceptable use could change over time. The combination of the lack of definition of “harmful” use and inability to predict what future uses could be harmful creates challenges in developing policies to prohibit harmful use of data.  

Third, efforts to appropriately address health big data confront a complex legal landscape, which continues to confuse patients, providers, health IT developers and other stakeholders in the Big Data ecosystem, including mobile app developers. Traditional health care entities and the data they collect and generate are governed by the Office for Civil Rights’ enforcement of the HIPAA privacy and security rules. However, a great deal of health-related data is now generated and consumed outside of this HIPAA-regulated space. Whereas covered entities and their business associates are bound by HIPAA’s Privacy and Security Rules, non-covered entities are subject to different legal obligations, which include the Federal Trade Commission’s (FTC) consumer protection authority to combat unfair or deceptive trade practices under Section 5 of the FTC Act. The exact same health-related data is regulated differently merely based on the entity processing the data.  Additionally, data flowing between HIPAA and non-HIPAA environments may face both sets of laws and regulations. Finally, state Consumer Protection laws based on similar principles of deception, enforced by State Attorneys General, as well as State HIPAA-like laws, add an additional layer of complexity. Consequently, privacy and security risks of non-compliance are difficult to understand without painstaking mapping of data movement and a thorough knowledge of state and federal laws.  This results in misapplication of existing rules which has resulted in both lost opportunity and increased risk..

This report is divided into the following six sections:

• Section 1: Executive Summary
• Section 2: Background (including the PSWG’s charge)
• Section 3: Scope (including summaries of other related initiatives)
• Section 4: Expert Testimony
• Section 5: Problem statements
• Section 6: Recommendations
• Section 7: Bibliography

[To be Added: for final draft, add high-level summaries of recommendations to executive summary]

2         Background

2.1        Privacy and Security Workgroup Charge

In response to the White House report on big data[23] and other complementary federal initiatives, the PSWG was charged to investigate privacy and security issues related to big data in the healthcare space and recommend actions to address critical challenges. This section briefly summarizes the reports that shaped the PSWG’s charge.

2.1.1        White House Report on Big Data and the President’s Council on Advisors for Science and Technology Report

On May 1, 2014, the White House released a report on big data that highlights the pressure on traditional privacy-protective measures (i.e., FIPPs), such as de-identification, notice and consent.[24]  The report recommends that government “lead a consultative process to access how HIPAA and other relevant federal laws and regulations can best accommodate the advances in medical science and cost reduction in health care delivery enabled by big data.”[25] The report acknowledges the complexity of the current federal and state legal landscape regarding patient data and privacy, and suggested the “need to carve out special data use authorities for the health care industry if it is to realize the potential health gains and cost reductions that could come from big data analytics.”[26] Finally, the report highlights that neither HIPAA nor other privacy laws regulate many organizations that collect health-related data, and that consumer privacy expectations may not be met in the current ecosystem.

The White House report is complemented by another report released on the same day by the President’s Council of Advisors for Science & Technology (PCAST) report, which reinforced the pressure that big data places on the FIPPs.

2.1.2        White House Open Government Partnership

The PSWG took note of the White House Open Government Partnership, which is a global initiative that began in 2011 to promote transparency and leverage new technologies, among other objectives. The Partnership calls for the use of big data to support greater openness and accountability, and highlights the need to “ensure privacy protection for big data analysis in health.”[27] Specifically, it recommends that to “ensure that privacy is protected while capitalizing on new technologies and data, the Administration, led by the Department of Health and Human Services, will: (1) consult with stakeholders to assess how Federal laws and regulations can best accommodate big data analyses that promise to advance medical science and reduce health care costs; and (2) develop recommendations for ways to promote and facilitate research through access to data while safeguarding patient privacy and autonomy.”[28]

2.2        PSWG Plan of Action

Beginning in October 2014, the PSWG held several public meetings and hearings in which experts presented and discussed key issues. The Workgroup analyzed the testimony and began drafting and refining its recommendations.

PSWG held two days of public hearings on December 5 and December 8, 2014. The Workgroup invited panelists from industry, non-profit organizations, academia, and law to address the following issues as they relate to big data: (1) health big data opportunities, (2) health big data concerns, (3) the learning health system, (4) protections for consumers, and (5) current laws. Please see Appendix A for a list of public hearing topics and speakers.[29]

Following these hearings, the PSWG began its deliberations. In February 2015, the PSWG heard additional testimony on health big data security issues, and in March, the PSWG updated the HITPC on the workgroup’s progress. Workgroup deliberations continued through June 2015.

3         Scope

In identifying specific issues to address within its charge, the PSWG benefitted from the lessons and recommendations of other initiatives and activities. The following section summarizes several of these initiatives.

3.1        Concurrent Initiatives and Efforts

The PSWG recognized the important big-data-related work that is being performed by both public and private stakeholders, often in partnership.  The PSWG strove to complement these efforts and address gaps where they were identified. Below are brief descriptions of some of the efforts that are currently underway.

3.1.1        Federal Trade Commission Internet of Things Report

In January 2015 the Federal Trade Commission (FTC) released a report[30] on the Internet of Things (IoT). The report, which summarized the discussions from a workshop held by the FTC in 2013, focused on FIPPs-related issues such as security, data minimization, and notice and consent. One of the report’s recommendations is that Congress should enact general data security legislation.[31] The Commission also reaffirmed its commitment to strengthen data security enforcement tools, enforce existing privacy laws, educate consumers and businesses, participate in multi-stakeholder groups, and advocate for consumers.

3.1.2        Precision Medicine Initiative

Launched in 2015, the Precision Medicine Initiative aims to “generate the scientific evidence needed to move the concept of precision medicine into clinical practice.”[32] Among the Initiative’s objectives is a commitment to protecting privacy.  The White House intends to accomplish this via a “multi-stakeholder process with HHS and other Federal agencies to solicit input from patient groups, bioethicists, privacy, and civil liberties advocates, technologists, and other experts in order to identify and address any legal and technical issues related to the privacy and security of data in the context of precision medicine.” The initiative also seeks to modernize regulations by evaluating what changes are needed to support new research and care models, including a privacy and participant protection framework.[33]

3.1.3        21^st Century Cures

Launched in 2014, the 21^st Century Cures initiative aims to “help accelerate the discovery, development, and delivery of promising new treatments and cures for patients and maintain the nation’s standing as the biomedical innovation capital of the world.”[34] The House Energy and Commerce Committee released an initial discussion document on January 27, 2015,[35] and on May 21, 2015, the Committee unanimously approved advancing the 21^st Century Cure Act.[36] The 21^st Century Cures Act aims to advance interoperability among patients, researchers, providers and innovators, modernize and personalize health care, while encouraging greater innovation and supporting research.[37]

3.1.4        Federal Health IT Strategic Plan and the Shared Nationwide Interoperability Roadmap

The 2015-2020 Federal Health IT Strategic Plan builds on ONC’s previous strategy to advance the widespread adoption of health IT.[38] Under the plan, ONC’s vision is that “health information is accessible when and where it is needed to improve and protect people health and well-being,” and its mission is to “improve health, health care, and reduce costs through the use of information technology.”[39] Objective 5B – Accelerate the development and commercialization of innovative technologies and solutions – references big data. For this objective, ONC plans to adopt a strategy to “fund organization learning and research, and promote innovation for new health IT products and solutions” that incorporate “advances in big data, computation and analytic methods, and other scientific discoverers that use health IT securely to help resolve challenging health problems.”[40]

ONC’s Shared Nationwide Interoperability Roadmap[41] leverages the second goal of the Federal Health IT Strategic Plan; which is to advance secure and interoperable health information.[42] This goal provides the foundation for achieving the balance of ONC’s goals.[43] Big data is referenced under the learning health system (LHS) requirement for shared governance of policy and standards that enable interoperability across the health ecosystem. In the 2018-2020 timeframe, ONC plans to participate with stakeholders in a coordinated governance process to define a policy framework for the interoperability of clinical data that supports research and big data analyses.[44] In the 2021-2014 timeframe, ONC and stakeholders will continue their coordinated governance process to define criteria and implementation specifications to support the interoperability of clinical data to support big data analysis nationwide.[45]

3.1.5        Patient-Centered Outcomes Research

The Patient-Centered Outcomes Research Institute (PCORI) is a nonprofit, nongovernmental organization established as part of the Patient Protection and Affordability Care Act of 2010. PCORI’s mandate is to “improve the quality and relevance of evidence available to help patients, caregivers, clinicians, employers, insurers, and policy makers make informed health decisions.”[46]

PCORI funds comparative clinical effectiveness research (CER) that will provide evidence to help patients and their caregivers make better-informed decisions. To facilitate more efficient CER that could significantly increase the amount of information available to healthcare decision makers, PCORI has created PCORnet: The National Patient-Centered Clinical Research Network. PCORnet is a national patient-centered research network that seeks to leverage the power of large amounts of data, including from EHR and information reported by patients to help draw information from real-world clinical settings to conduct critical CER and other types of studies more quickly and cost-effectively.

3.1.6        Secretary’s Advisory Committee on Human Research Protections (SACHRP)

The Secretary’s Advisory Committee on Human Research Protections (SACHRP) provides expert advice and recommendations to the Secretary on issues and topics pertaining to the protection of human research subjects.[47] SACHRP recently provided recommendations regarding Human Subjects Research Implications of “Big Data” Studies.[48] Some of these recommendations called on the Office for Human Research Protections (OHRP) to provide guidance on: consent waiver standards for research, proposed changes to rules to account for an exemption category for research involving big data, and asked OCR to clarify the extent to which HIPAA applies to big data research.[49]

3.2        Scope of the Privacy and Security Workgroup’s Recommendations

Given the breadth of big data as a topic, the PSWG narrowed the scope of its discussions and recommendations to privacy and security concerns and potentially harmful uses of big data in healthcare. The PSWG also focused on prevailing legal frameworks and potential gaps in privacy and security protections, as well as the degree to which existing laws facilitate an environment that enables data to be “leveraged for good” while still protecting individual’s privacy interests. 

The PSWG identified several issues that were out of scope. These included matters related to data quality, data standards, and the non-representativeness of data (e.g., data that does not accurately reflect the composition of the population, which has the potential to ignore under-served communities). Where possible, the PSWG sought to avoid discussing issues that have been addressed by other projects and initiatives, as summarized above, though some topics and themes were complementary.

4         Public Testimony

This section provides a summary of testimony from the Workgroup’s public hearings and deliberations during the Workgroup’s regular public meetings.[50] The hearings and meetings surfaced several key themes, which provide the following structure for this section: (1) concerns about tools commonly used to protect privacy; (2) preventing, limiting, and redressing privacy harms; and (3) the complex legal landscape, including issues of under- and over-regulation.

4.1        Concerns About Tools Commonly Used to Protect Privacy

Big data is blurring the lines between traditional health data (e.g., clinical or billing data) and other information (e.g., user-generated data about diet, steps, workouts, sleep, and mood).[51]  Consequently, defining health data is becoming more difficult because almost all data has potential to, in some way, become health-related data, depending on how it is used.[52] Big data analytical methods are putting pressure on traditional privacy principles (i.e., FIPPs), such as confidentiality, security, individual participation through meaningful patient consent, transparency and data minimization (including collection, use, and purpose limitation). Nevertheless, presenters defended the resiliency of the FIPPs, which continue to provide “a strong, standardized structure that promotes responsible and efficient use of data while allowing for innovations in analytics and application.”[53]

4.1.1        De-identification

De-identification refers to the data anonymization methods that obfuscate health information to keep it confidential. HIPAA provides two methods of de-identification – safe harbor and expert determination – that are widely used to facilitate health research and are considered a powerful privacy protective tool.[54] Nevertheless, several presenters noted important weaknesses in the current HIPAA de-identification practices and offered specific solutions.

While panelists directly involved with research and big data analytics were all using de-identified data and did not require fully identifiable data for their specific research purposes, some panelists cautioned that HIPAA’s safe harbor de-identification method may be too extensive and resulted in data that did not satisfy the needs of some researchers.[55] Conversely, other panelists cautioned that current de-identification methods may not be extensive enough to adequately protect privacy, since there is “accumulating evidence that the safe harbor method has some important weaknesses” that would allow a higher risk of re-identification.[56] Because Safe Harbor is a technique that is being copied globally, it makes sense with respect to Big Data analytics to reevaluate when using such a simple standard can result in both beneficial use of Big Data and is also protective enough of privacy.[57]

With respect to the expert determination method, HIPAA does not establish specific standards or require the use, or the vetting of, specific methodologies.[58]  Standards are needed to raise the bar in de-identification.[59] Creating expert determination standards serves multiple purposes, which include (1) ensuring that methods are known, published, and scrutinized, and (2) creating a professional community of practice based on certification that could facilitate the development of more sophisticated methods and practices.[60]

De-identification does not eliminate the risk of re-identification,[61] but if it is done well, the risk of re-identification can be very low.[62] De-identification can be enhanced by other controls, including accounting for threat models, contractual controls (e.g., prohibiting the joining of data sets), privacy and security controls at recipient sites, and good governance mechanisms, such as ethics committees or data access committees, which determine acceptable uses of data.[63]

Finally, several presenters suggested the need for legal controls that prohibit and provide penalties for inappropriate re-identification, especially since de-identification cannot eliminate all risk of re-identification.[64] They advanced a position that Congress should focus on addressing accountability for re-identification or negligent anonymization/de-identification[65] in lieu of requiring broader use of de-identified data or mandating heightened standards for de-identification that could serve to interfere with beneficial research purposes.

4.1.2        Patient consent

A patient’s meaningful consent to authorize the use and sharing of personal health information is a valuable tool for protecting privacy and individual autonomy.[66] In a big data analytics world, it is becoming more difficult to obtain meaningful consent because secondary uses of data may not be contemplated or anticipated, as the data itself can generate the hypotheses.[67] The Workgroup approached the consent issue by assessing how it works both within the HIPAA environment and outside the HIPAA environment, with a particular focus on consent for research.

Individual control of data through informed consent has both advantages and disadvantages.[68] Consent empowers patients to control their information and take a more active role in their health, but consent also enables patients to withhold information, which can make data sets less valuable.[69]

Presenters also disagreed over the degree to which people want control over their health information.[70] Some highlighted that it may not even be possible to notify every person about how their data are used,[71] and the complexity of privacy policies (which few people read) often makes consent meaningless.[72] Others stated that privacy is too important to expect individuals to shoulder the burden of policing themselves.[73] But others argued that new technologies can enable us to economically ask people for their consent, and more thought should be given to a person’s ability to opt-out or opt-in to research.[74]

4.1.3        Data security

Security, including data breaches, was highlighted as one of the most pressing issues for big data in healthcare.[75] To build trust in a robust health big data ecosystem, one panelist recommended the “development and implementation comprehensive adaptable privacy and security policy and technology frameworks” that apply to health data, regardless of whether a HIPAA-covered hospital or a non-HIPAA-covered health app manufacturer collects the information.[76] In any environment, data must be protected at the same time it is made available, and the methods of protection should not interfere with the responsible use of data.[77]

Identifying the need for a larger discussion on data security, the PSWG held an additional public hearing on February 9, 2015.[78] The main points from this hearing are as follows:

• First, risk can never be eliminated, and the security threat landscape is incredibly complex and varies over time.[79]

• Second, the best security approach is a holistic approach to security that looks at operations end-to-end and applies a risk-based framework.[80]  HIPAA defines high-level objectives, but it falls short of establishing a risk-based framework that defines specific, contextual, and evolving controls is needed.[81] HITRUST was mentioned as an example of a common security framework that the healthcare community may consider applying.[82]

• Third, Moving to a common framework will be difficult for many organizations. HIPAA compliance varies significantly across hospitals based on their levels of resources.[83] The resources go beyond IT sophistication to hospital infrastructure, and staffing.[84] Consequently, any regulatory incentive or effort must acknowledge that compliance varies across hospitals and providers.[85]

• Fourth, distributed data networks may augment good security practices by minimizing the need to aggregate and centralize data. For example, the Food and Drug Administration (FDA), the National Institutes of Health (NIH), and the PCORI have created or funded distributed data networks to support some of their needs.[86]

• Finally, organizations can adopt privacy architectures, such as “safe havens” or data enclaves, and organizations can embrace distributed computation, which avoids risks associated with pooling data by performing analysis at the data sources.[87]

4.1.4        Transparency

One participant noted that “[t]he foundational principle of openness and transparency is perhaps the most important component of the FIPPs for all entities using big data.”[88] Certainly, the need for transparency in the application of big data analytics in healthcare was echoed throughout the hearing testimony.

People are not fully aware of how their data are used and for what purpose; this extends to a common assumption that HIPAA covers all medical data when in reality it does not.[89] This lack of understanding extends to the use of search algorithms that contextualize information and enable machines to make decisions for and about people.[90] Besides raising concerns about the unanticipated or unexpected uses of data, poor transparency engenders a lack of trust, and trust is essential for future learning and the beneficial application of big data in healthcare.

In particular, notices often fail to foster transparency (and trust) because they are overly broad and vague.[91] Nevertheless, entities should provide notice whenever individuals may think the usage or collection of data is unexpected or objectionable, and notice should be provided at a relevant time (e.g., contextual (just-in-time) notice).[92]

As to increasing transparency for algorithms, it was acknowledged that because sophisticated algorithms are proprietary intellectual property, it is very difficult to determine their inputs and outputs, and how they make decisions about people.[93] One participant suggested that transparency and disclosure should extend to “what [data] informs the algorithms, how … cohorts are defined, and how individuals are separated,” because if these are not known, trust cannot be achieved.[94]

Finally, potential parallels were drawn to the transparency elements of the Fair Credit Reporting Act (FCRA). The FCRA not only frames acceptable uses of data, it also provides consumers with transparency if data has an adverse impact on them. Even so, some cautioned that FCRA is tailored to particular circumstances and it may not scale well in the health arena.[95]

4.1.5        Collection, use, and purpose limitation

Big data analytics and research begins with researchers examining trends and patterns in large data sets without first formulating a hypothesis.[96] The need to collect as much data as possible before identifying a research purpose conflicts with longstanding FIPPs principles around limiting the use of personal information.

Regardless of how big data analytics is performed, hearing participants stated: “as a general principle, the minimum necessary amount of identifiable data should be used to answer a question.”[97] Others suggested that organization should often ask themselves why they need the information they have collected, and they should avoid retaining data for some future, unnamed use simply because they think it might be valuable.[98]

Concerning purpose limitation, participants struggled to clearly define acceptable and unacceptable uses of health information in big data analytics,[99] save the obvious prohibition on using health data for discriminatory purposes (see more on harms, below).

In summary, the PSWG heard many concerns regarding the tools commonly used to protect privacy. The PSWG also heard several suggestions and recommendations. In particular, the PSWG heard following recommendations regarding the appropriate use of electronic health data:

• As a general principle, the minimum necessary amount of identifiable data should be used to answer a question;
• There should be good processes for approval and oversight; and
• The uses of data should be stated publicly and the number of individuals who have access to identifiable data should be minimized.[100]

4.2        Preventing, limiting, and redressing privacy harms

Defining privacy harm is very difficult, and panelists were not able to reach a consensus regarding a clear definition of harm.[101] Defining an acceptable use of data is subjective because acceptable use is culturally specific and will change over time.[102]

Moreover, data can be used for either positive or negative effect.[103] For example, understanding demographic granularity can help address health disparities, but it can also increase the risk of harmful profiling.[104]

To arrive at a consensus around harms or non-permitted abuses, one participant suggested an effort be made to identify laws that may already prohibit certain activities, identify gaps, and catalogue federal laws with non-discrimination provisions.[105] Additionally, the FTC and other agencies may have a role to play. The FTC can help can help identify boundaries through the cases it pursues under its ability to combat unfairness and deception.[106]

4.3        The complex legal landscape

Complexity in the legal landscape, both within the HIPAA environment and outside of it, was a core theme during each public hearing and meeting. Testimony confirmed that there continues to be a lack of clarity and understanding of privacy and security laws and rules.[107] Additionally, the legal landscape for protecting health information is uneven. For example, legal coverage is extensive and even contradictory in some areas (e.g., research under HIPAA and the Common Rule), while coverage is significantly lacking in other areas.[108] Moreover, State law is confusing, often outdated and seldom enforced.[109]

HIPAA applies only to covered entities (health plans, health care clearinghouses, health care providers) and business associates acting directly on their behalf. The bulk of health-related data being generated today falls outside of HIPAA regulation.[110] Regardless of which laws apply – HIPAA for healthcare entities or the FTC for much of the private sector – both individuals and organizations continue to struggle to gain access to health information so that it can be used and studied meaningfully.

This section summarizes the testimony concerning the legal landscape including concerns about access to information, under-regulation, and over-regulation.

4.3.1        Access to Information

Participants voiced a need for greater data liquidity.[111] On a personal level, patients want to access and combine their data in meaningful ways, but they face significant impediments[112] and privacy and security issues are frequently seen as one of the biggest barriers.[113]

Public access to data is also very important. Health data can be viewed as a social asset; there is a social responsibility to give back to the community by making data available to researchers and to patient groups.[114]

Within HIPAA, providers may access patient information without their consent for treatment, payment, or healthcare operations purposes.[115] This concept of normal, routine uses was cited as one of HIPAA’s greatest strengths.[116] Participants also cited some progress regarding data liquidity. The recently finalized HIPAA Omnibus Rule introduced important changes, including (1) authorization to permit future research and (2) the ability to permit compound authorizations for research purposes. [117] Nevertheless, testimony generally indicated that access to data still needs to be improved for big data to benefit personal and public health.

4.3.2        Under-Regulation

For the purposes of the PSWG’s investigation, “under-regulation” refers to the gaps in law in which health-related data is not afforded the same privacy and security protections that exist under a regime like HIPAA. Although the FTC has taken the lead to protect privacy and security in the commercial space, the FTC usually only acts if an organization violates its own privacy and security policies. To date, the FTC has refrained from pursuing cases involving “unfair” privacy practices, which can be difficult to define. Moreover, private industry is not subject to privacy and security rules and policies set forth for government entities (e.g., requirements under the E-Government Act of 2002 (which includes the Federal Information Security Management Act (FISMA).[DM4] 

A rapidly growing amount of health-related information is not regulated by the HIPAA.[118] These include information in mobile applications, websites, and personal health records. Additionally, healthcare entities that are covered by HIPAA are using non-health data for healthcare purposes.[119] [DM5] 

Although the FTC has recently become very active on the general enforcement of data security standards,[120] it has been less active in the privacy sphere, particularly in healthcare. One reason is that while deception is relatively straightforward to litigate, it is not clear what may be considered a legally enforceable “unfair” privacy practice.[121]

4.3.3        Over-Regulation

The PSWG used the term “over-regulation” to refer to the multiplicity of laws addressing certain holders of health and health-related data and the extent to which those laws help leverage beneficial uses of health big data. PSWG discussions focused mainly on research, which is regulated by both HIPAA and the Common Rule.

One panelist stated that the HIPAA Privacy Rule does not protect privacy as well as it should, and in fact, HIPAA impedes the use of data for important health research.[122] Others cited HIPAA’s strengths, noting that it establishes common rules that apply uniformly; which serves to improve access to information.[123] Ideally, entities should not be penalized and disincentives should not be created when organizations contribute to the general knowledge base for healthcare.[124]

For example, one presenter noted an apparent “paradox” in HIPAA. While the definition of “research” is the same under both HIPAA and Common Rule,[125] different rules about patient consent are applied depending on whether the research results are shared for “generalizable knowledge” or are used for quality improvement purposes and kept within an organization (i.e., covered under “healthcare operations”).  Stated another way, “two studies that use data for quality improvement purposes using the same data points done to address the same question … by the same institution will be treated as operations if the results are not intended to contribute to generalizable knowledge, … but treated as research [requiring consent] if you intend to share the results with others so that learning may occur.”[126]

Finally, the PSWG’s predecessor, the Privacy and Security Tiger Team, previously provided recommendations[127] approved by the HITPC on the topic of modernizing the Common Rule and creating more consistency with in HIPAA.[128] The Tiger Team recommended that uses of EHR data to evaluate the safety, quality, and effectiveness of prevention and treatment activities should not require consent or IRB approval. Consequently, such investigations should not be labeled as research – even if the results are used for generalizable knowledge – because doing so would pose an obstacle to learning.[129]

4.4        General Suggestions

In summary, the PSWG received many hours of helpful testimony over the course of several days of public hearings and meetings. In assessing the concerns raised about protecting privacy and security in health big data analytics, presenters offered several general suggestions. Some of these suggestions follow:

• It is important to allow experimentation for technology and methods to improve. It is also important that organizations, that are initially slow to move, learn how best to take advantage of big data opportunities and realize potential benefits.
• The best approach for protecting privacy is to start with the FIPPs. The FIPPs are flexible yet structured, and can apply to the traditional healthcare sector as well as the emerging consumer applications market.[130]
• Finally, the PSWG might consider three options to address legal gaps:
  • Develop a specific set of principles applicable only to “non-HIPAA health care data” (with an obvious ambiguity about what “health care data” would mean);
  • Develop a set of principles (through an amendment to the scope of HIPAA or otherwise) that would apply to all health care data; or
  • Develop a broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA rules.[131]

5         Detailed Problem Statements 

As electronic health IT adoption and use has advanced, large data sets of health information have been formed within electronic health records, health applications and personal health records.  Data mining and the application of big data analytics across these data sets offer promising opportunities for learning and for improving patient outcomes, but they also uncover additional challenges to maintaining privacy and security.  The diversity of health data, the structure of the healthcare environment, and policy gaps further complicate the beneficial impact of big data.  Analysis and discussions by the PSWG yielded high priority areas for discussion and solution development with a focus on the big data analytics.  This section outlines the key problem areas for focus and provides greater detail about the specific problem that needs to be addressed[DM6] .

5.1        Potential for Harmful or Discriminatory Practices

During our hearings, among the most oft cited concerns about health “big data” is the potential for health data to be collected and used in a way that harms individuals or groups.  Discrimination is just one example of a harm that can result from certain analytic uses of health big data.  U.S. laws prohibit some discriminatory uses of health data – for example, use of health data to make decisions about health insurance coverage – but other discriminatory uses of health data are either not prohibited or are expressly permitted (for example, use of health information in life and disability insurance decisions). 

Beyond discrimination, some see other uses of health data as being “harmful” (for example, marketing and other “commercial” uses).  However, there is a lack of consensus on which uses are “harmful,” particularly with respect to health big data analytics, as well as an inability to predict which future uses could be harmful and which beneficial, which creates challenges to enacting policies to prohibit or place additional constraints on such uses.  During our hearings, some presenters expressed concern about the use of algorithms to make decisions about people or communities, and the lack of “transparency” about both the data used to inform these algorithms and precisely how the algorithms are used.  Unfair practices resulting from the use of algorithms are more insidious when further obscured by a lack of transparency since the harm itself may be difficult if not impossible to detect.  Thus, it is only with an understanding of the process used to arrive at a decision that can reveal the existence of harmful bias or practices.

Failing to pay attention to these issues undermines trust in health big data analytics, which could create obstacles to leveraging health big data to achieve gains in health and well-being. 

5.2        Two different domains of regulation (HIPAA and “Other”) Yields contradictions and unpredictability

HIPAA covers many sources of health big data – but not all.  Consequently, we lack comprehensive, FIPPS-based protections for health data analytics (and analytics leveraging data that on its face is not “health” but is used for health purposes or to infer a health status) in many domains, which is confusing for consumers and imperils trust in health big data.  In addition, even when health data analytics is regulated, those rules may not have been written in a way that maximizes our ability to learn from health data while still protecting it from risks to privacy, confidentiality and security.  Three concerns in particular were surfaced by the hearings:

• Access – Individuals often lack the ability to access, use, and share their own data, including for research and learning health system (LHS) activities.  Even with respect to HIPAA covered entities, which are required to provide this right to individuals, the right is often difficult for individuals to exercise. 

• Transparency – There is a lack of transparency regarding how holders of personal information use that information and how information is exchanged, especially in the Big Data ecosystem outside of traditional healthcare. This lack of transparency erodes trust and exacerbates the fear of harm or discrimination.

• Research – when it is regulated, the rules do not necessarily regulate based on privacy risk and, as a result, create higher hurdles for uses of data for “research” purposes that intend to contribute to “generalizable knowledge” (i.e., the greater good). 

5.3        Lack of Confidence in De-identification Methodologies and the Risk of Re-identification

De-identification is a useful tool for protecting privacy in big data research – but we over-rely on it as a matter of policy and do not have ways to hold people accountable for unauthorized re-identification of data or negligently failing to protect data that is vulnerable to re-identification.  In addition, de-identification does not address the potential for harmful uses of health big data. 

HIPAA has regulatory requirements for de-identification – but there are no such requirements for de-identification of health data outside of HIPAA.  HIPAA standards for de-identification are often voluntarily used by entities not subject to HIPAA, but it is not required.

Concerns have been raised about both methodologies currently used for de-identification under HIPAA – safe harbor and expert determination.  The former may not be sufficiently protective in all contexts (particularly given increases in publicly available data); the expert methodology is required to take “context” into account but there are no objective criteria governing it.  

There is increased risk of re-identification when data sets are combined (the mosaic effect). A mosaic effect occurs when disparate threads can be pieced together in a way that yields information that is supposed to be private.[132]  

In addition, de-identification – even under HIPAA – has never meant zero risk, but de-identified data is not subject to regulation (so the residual risk that remains is unregulated).  We do not have consistent mechanisms for punishing people/entities who re-identify or who negligently leave datasets vulnerable to easy re-identification.

Conversely, de-identification is also not the panacea for enabling valuable uses of data.   Emphasizing (or favoring, through reduced regulatory requirements) data de-identified pursuant to HIPAA as the enabling mechanism for data use often significantly reduces the potential for valuable uses of data even where the risk associated with the use of more identifiable data is very low.  In addition, de-identification using the expert methodology, which is generally believed to be both more effective at reducing re-identification risk (because it accounts for context) and more valuable for researchers (because it doesn’t per se require the removal of certain data fields) is perceived by many research entities to be too expensive and time intensive. 

5.4        Security Threats and Gaps

The lack of an end-to-end secure environment for health data was a problem mentioned by many who presented – but no entity (or federal agency) is responsible for assuring those end-to-end protections.  Instead we have silos of protections.  For example, HIPAA coverage applies in some places, FTC and FDA in others, Gramm-Leach-Bliley in financial contexts; state law may govern; some may be covered by multiple laws, and some may be covered by none.  The lack of baseline security requirements was broadly seen as a significant risk for deteriorating patient and consumer trust in the healthcare system and in entities involved in health big data analytics both inside and outside of healthcare.  The call for such end-to-end security requirements was referenced as one of the highest priorities.

In addition, the laws that do exist do not necessarily provide incentives for adopting privacy-enhancing technical architectures for big data analytics (for example, data enclaves).  (In other words, the privacy rules governing analytic uses of data arguably are the same regardless of the technical architecture used to analyze the data.)

Congress is the only policy-making body equipped to authorize national security and/or cybersecurity requirements that would facilitate the requirement to provide a consistent baseline level of security for health data, regardless of the entity that holds that data, in an end-to-end environment that is desirable for building trust.  But the workgroup did not recommend specifically directing Congress to address this issue at this time.

6         Solutions and Recommendations

6.1        Addressing Harm, Including Discrimination Concerns

To address discriminatory practices: without a national consensus on what constitutes harm with regard to health big data analytics, the Workgroup encourages ONC and other federal stakeholders to conduct more public inquiry and pursue or promote initiatives or projects that could yield greater understanding of the scope of the problem and the potential for harm – both harm to individuals and harm to communities or subpopulations.[133]  Federal stakeholders should continue to focus on identifying gaps in legal protections against what are likely to be an evolving set of harms from big data analytics.

Additionally, policymakers should consider adopting measures (for example, spending conditions, regulations, and guidance) that could increase transparency about actual health data uses.  Greater education and knowledge about actual health data uses could help spur greater public dialogue about which uses are harmful, and as a result advance a national consensus around harms and the best ways to prevent or hold entities accountable for them.

With respect to addressing distrust in big data algorithms, the workgroup expressed a desire to have greater transparency about algorithms – for example, what data informs them, how the data are collected, how those data are weighted or used in the algorithm, and whether (and if so, how) the algorithm is evaluated with respect to the accuracy and fairness of its outcome.  At the same time, the workgroup recognizes that many algorithms are considered to be proprietary and frequently are machine-generated, so there is less than complete understanding of the inputs and the processes even among those using the algorithms.  Additionally, the workgroup recognized that detailing all of the data inputs for a given algorithm, may, in many cases, be a near impossible task given the ephemeral nature of the data input and the volume of data utilized.  Nevertheless, the workgroup recommends policymakers explore how to increase the transparency around the use of algorithms, perhaps with an approach similar to that used in the Fair Credit Reporting Act (FCRA).  The FCRA is a federal law that regulates consumer reporting agencies (CRAs) and empowers people by providing transparency about the use of consumer credit information where the credit information is used in algorithms to create a credit score. The FCRA offers the following protections:

• A consumer must be told if his/her information has been used to deny them service or opportunity.
• A consumer has the right to know what information is in their credit file
• A consumer has the right to ask for the credit score that has been computed and where it falls on the scale of other credit scores
• A consumer has the right to dispute incomplete or inaccurate information in their credit file
• Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information.
• Consumer reporting agencies may not report outdated negative information and may not use such information in computing credit scores
• Access to and the use of a consumer’s file must be limited.
• A consumer must give consent for reports to be provided to employers.
• A consumer may limit “prescreened” offers of credit and insurance based on information in their credit report.
• A consumer may seek damages from violators.[134]

Any such regulation or best practices governing algorithms should aim to maximize transparency (to the extent possible), validity and fairness.  Although this may be desirable for algorithms used in a range of contexts, it is particularly important where algorithms are used to evaluate and/or make decisions that have an impact on the health of individuals and communities. 

6.2        Address Uneven Policy Environment

The Health IT Policy Committee has issued previous recommendations urging that holders of health data (and personal data being used for health purposes) implement protections based on the Fair Information Practice Principles (FIPPs) to protect the privacy, confidentiality and security of that data.  FIPPs include provisions to enable individuals to make reasonable choices about the collection, use and disclosure of their health information – but the FIPPs do not focus just on consent as the primary mechanism.  FIPPs are principles of responsible data stewardship and obligate data holders to adopt reasonable limits and safeguards regardless of whether an individual’s consent is sought.  HIPAA and other privacy laws are based on FIPPs – but we lack FIPPs-based protections for health data outside of the HIPAA environment.

Congress could address this through legislation, but such protections could be achieved through voluntarily adopted codes of conduct, which can be enforced under Section 5 of the FTC Act by the FTC for entities subject to their jurisdiction.  A number of efforts are under way to develop such codes – those efforts should be encouraged and HHS, FTC and other relevant federal agencies should offer to review and provide suggestions for such efforts in order to more quickly establish dependable “rules of the road” that help build trust in the use of health big data  (Of note:  the Health IT Policy Committee has already asked the Consumer Workgroup to consider an evaluation effort for consumer-facing health data tools like health mobile apps.)[135] Such codes of conduct should emphasize transparency (regarding data collection, transfer and use), individual access, accountability, and use limitations, at a minimum.  They could also reward/promote the use of privacy enhancing architectures for big data analytics, such as data enclaves. A data enclave is a controlled, secure environment in which eligible researchers can perform analyses using restricted data resources.[136]

Policymakers also should evaluate existing rules governing uses of data that could contribute to a learning health system to assure those rules promote the responsible re-use of data to contribute to generalizable knowledge. The Policy Committee had previously recommended treating certain research uses of data conducted under the management and control of a HIPAA covered entity as operations (not requiring consent or IRB review), and we reiterate that recommendation.

Policymakers also should consider modifying rules around research uses of data so that they provide incentives for entities to use more privacy protecting architectures (for example, entities using secure data enclaves for research would not need to undertake as significant a level of de-identification).  

Existing rules giving individuals access rights to health information should, over time, be strengthened to bring them into the digital age, so that individuals can access, download, and transmit their health information (both within HIPAA and as part of any rules or voluntary codes covering the non-HIPAA space) as easily as they can access their financial information, for their own use or in order to facilitate research into diseases that impact them or in any area of learning that they seek to support.  

In the meantime, education of consumers, health care providers, technology vendors and other stakeholders about the limits of legal protections, and about best practices to protect the privacy, confidentiality and security of sensitive health information is critical, particularly given the patchwork of regulation and the lack of comprehensively adopted, robust codes of conduct.  The Health IT Policy Committee recently endorsed recommendations from this Workgroup with respect to providing guidance and educating stakeholders on these topics; we reinforce those recommendations again.[137]

6.3        Protect Health Information by Improving Trust in De-identification Methodologies and Reducing the Risk of Re-identification

We ask OCR to be a more active “steward” of HIPAA de-identification standards and conduct ongoing review of the methodologies to determine robustness and recommend updates to the methodologies and policies. The analysis could be performed by an outside expert, such as NIST, but would be vetted and ultimately endorsed by OCR.[138] 

We further urge OCR to carefully consider the following additional recommendations that came out of the hearing testimony:

• Limit use of safe harbor only to circumstances where data represent a random sample of a population. “The Safe Harbor standard for de-identification is being copied and used by uncovered entities and is actually being used globally, it’s been copied globally as well. So, we need to revisit the value and the risks from using such simple standards for de-identifying data and maybe additional guidance is needed to limit the situations under which such a simple standard…such a simple method should be used.”[139]
• Consider whether de-identification status of a dataset should be required to be re-evaluated when context changes (such as when data set is combined with other data).
• Develop or encourage the development of programs to objectively evaluate statistical methodologies; consider granting safe harbor status to methodologies proven to be effective in particular contexts.

Consideration should be given to risk-based de-identification requirements and re-identification risk when data is held by entities or in environments where re-identification risk remains low (for example, data enclaves, data havens or data repositories voluntarily adopting HIPAA security rules).

Establishing accountability for re-identification or negligent de-identification also was of interest to the Workgroup.  This is another issue that Congress could address – however, the workgroup did not believe specifically asking Congress to address this at this time was the advisable.

6.4        Supporting Secure Use of Data for Learning  

The PSWG seeks a widely-accepted security framework that assures accountability for security at all endpoints; It is yet another issue Congress could address – but consistent with prior recommendations, the workgroup urges the development of voluntary codes of conduct that also address robust security provisions. The FTC has previously recommended the enactment of strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools.[140]  In addition, education of stakeholders about cybersecurity risks and recommended precautions is critical, and both the public and private sectors have a role to play in this effort. 

Federal policymakers, through regulations, spending conditions, and guidance, should provide incentives for entities to use privacy-enhancing technologies and privacy-protecting technical architectures, such as secure data enclaves, secure distributed data systems, and distributed computation.

The workgroup also reiterates recommendations made by the Tiger Team and endorsed by the Health IT Policy Committee in 2011[141] with respect to the HIPAA Security Rule.  Specifically:

• Security policies for entities collecting, storing and sharing electronic health information needs to be responsive to innovation and changes in the marketplace.
• It also needs to be flexible and scalable to reflect differences in size and resources; at the same time a solid baseline of security policies needs to be established and consistently implemented across all entities.
• Providers will continue to need education and specific guidance on how to comply with the security rule.

HHS should have a consistent and dynamic process for updating security policies and the rapid dissemination of new rules and guidance to all affected.  As part of this process, HHS should look to other security frameworks to assure the Security Rule keeps up with the latest threats and innovations in security protections. NIST had previously issued guidance on HIPAA security compliance that many entities have found helpful; NIST should continue to update this guidance and keep it current and relevant for a changing risk environment.

7         Bibliography

8         Appendix A – Health Big Data Public Hearing Topics and Speakers

8.1        Health Big Data Public Hearings, December 5 and 8, 2014

8.2        Data Security in Health Big Data Hearing, February 9, 2014

9         Appendix B – Supporting Testimony

[1] HITPC Transmittal Letter, September 1, 2010, p. 4, http://www.healthit.gov/sites/faca/files/hitpc_transmittal_p_s_tt_9_1_10_0.pdf.

[2] See 45 CFR § 160.103.

[3] Public Hearing Responses of Richard Platt, p. 3, http://www.healthit.gov/facas/sites/faca/files/PSWG_Background_Richard_Platt_Reply_to_Questions_for_Panelists_2014-12-05.pdf [hereinafter “Richard Platt Responses”].

[4] Richard Platt Responses, p. 3.

[5] Richard Platt Responses, p. 3.

[6] Toolkit for Communities Using Health Data: How to collect, use, protect, and share data responsibly, NCVHS, Draft 8: November 6, 2014, http://www.healthit.gov/facas/sites/faca/files/PSWG_Presentation_Leslie_Francis_2014-12-08.pdf/ 

[7] Richard Platt Responses, p.3.

[8] Richard Platt Responses, p.3.

[9] Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap, Draft Version 1.0, p. 8, http://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.pdf. See also, Testimony of Richard Platt, p. 1 (“The term “Learning Health System” connotes a commitment to improve care, both by learning from all patients’ experiences and by implementing the results of the learning activities.”).

[10] Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap, Draft Version 1.0, p. 35, http://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.pdf.

[11] Stephen J. Downs, PSWG Transcript 2014-12-05, p. 7-9 [hereinafter “December 5”].

[12] Robert Gellman, December 5, p. 51.

[13] Stephen Downs, December 5, p. 20; Mark Savage, December 5, p. 30; David McCallie, Jr., PSWG Transcript 2014-12-08, p. 21 [hereinafter “December 8”].

[14] Michelle De Mooy, December 5, p. 44.

[15] Khaled El Emam, December 5, p. 49-50.

[16] Michelle De Mooy, December 5, p. 30.

[17] Andrew Rosenthal, Anthem is warning consumers about its huge data breach. Here’s a translation, L.A. Times, March 5, 2015, available at: http://www.latimes.com/business/hiltzik/la-fi-mh-anthem-is-warning-consumers-20150306-column.html#page=1.

[18] Michelle De Mooy, December 5, p. 34.

[19] Deven McGraw, HITPC Transcript, March 10, 2015, p. 19.

[20] For information on covered entities and business associates, see http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/; for definitions, see 45 CFR §160.103.

[21] There is no definitive version of the FIPPs, which are recognized worldwide as the foundational principles for data privacy. Appropriate sources include the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm – part2, the Markle Connecting for Health Common Framework, http://www.markle.org/sites/default/files/CF-Consumers-Full.pdf, the White House’s 2012 Consumer Bill of Rights, https://www.whitehouse.gov/sites/default/files/privacy-final.pdf, and the NIST National Strategy for Trusted Identities in Cyberspace, http://www.nist.gov/nstic/NSTIC-FIPPs.pdf.

[22] Stanley Crosley, December 8, p. 14.

[23] Big Data: Seizing Opportunities, Preserving Values, May 2014, https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf [hereinafter “White House Big Data Report”].

[24] White House Big Data Report, p. 54, (stating that “re-identification is becoming more powerful than de-identification,” and “focusing on controlling the collection and retention of personal data . . . may no longer be sufficient to protect personal privacy.”).

[25] White House Big Data Report, p. 62.

[26] White House Big Data Report, p. 23.

[27] FACT SHEET: Announcing New U.S. Open Government Commitments on the Third Anniversary of the Open Government Partnership, https://www.whitehouse.gov/the-press-office/2014/09/24/fact-sheet-announcing-new-us-open-government-commitments-third-anniversa. (hereinafter Open Government Partnership).

[28] Open Government Partnership.

[29] Appendix A, Health Big Data Public Hearing Topics and Speakers.

[30] Internet of things: Privacy & Security in a Connected World, FTC Staff Report, January 2015, p. i, https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

[31] Id.

[32] About the Precision Medicine Initiative, National Institutes of Health, available at: http://www.nih.gov/precisionmedicine/.

[33] FACT SHEET: President Obama’s Precision Medicine Initiative, https://www.whitehouse.gov/the-press-office/2015/01/30/fact-sheet-president-obama-s-precision-medicine-initiative.

[34] 21^st Century Cures Discussion Document, http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/114/Analysis/Cures/20150127-Cures-Discussion-Document-One-Pager.pdf

[35] 21^st Century Cures Discussion Document.

[36] Energy and Commerce Cures, http://energycommerce.house.gov/cures

[37] Id.

[38] Federal Health IT Strategic Plan: 2015-2020, http://www.healthit.gov/sites/default/files/federal-healthIT-strategic-plan-2014.pdf [hereinafter “Federal Health IT Strategic Plan 2015-2020”].

[39] Federal Health IT Strategic Plan: 2015-2020, p. 3.

[40] Federal Health IT Strategic Plan: 2015-2020, p. 26.

[41] See Connecting Health and Care for the National: A Shared Nationwide Interoperability Roadmap, DRAFT Version 1.0, available at: http://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.pdf.

[42] See Federal Health IT Strategic Plan: 2015-2020, p. 5.

[43] Goal 3: strengthen health care delivery; goal 4: advance the heath and well being of individuals and communities; and goal 5: advance research, scientific knowledge, and innovation. See Federal Health IT Strategic Plan: 2015-2020, p. 5.

[44] Connecting Health and Care for the National: A Shared Nationwide Interoperability Roadmap, DRAFT Version 1.0, p, 35, http://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.pdf.

[45] Connecting Health and Care for the National: A Shared Nationwide Interoperability Roadmap, DRAFT Version 1.0, p, 35.

[46] Patient-Centered Outcomes Research Institute, http://www.pcori.org/about-us.

[47] http://www.hhs.gov/ohrp/sachrp/

[48] Human Subjects Research Implications of “Big Data” Studies, US Department of Health and Human Services, http://www.hhs.gov/ohrp/sachrp/commsec/hsrimplicationsofbig_datastudies.html.

[49] Id.

[50] Information about the hearing agendas and testifiers is provided in Appendix A.

[51] Stephen J. Downs, December 5, p. 8.

[52] Stephen Downs, December 5, p. 20; Mark Savage, December 5, p. 30; D. McCallie, JR., December 8, p. 21.

[53] Testimony of CDT for the HIT Privacy and Security Work Group Virtual Hearing (December 5, 2013), p. 3, http://www.healthit.gov/facas/sites/faca/files/PSWG_Testimony_Michelle_DeMooy_CDT_2014-12-05_0.pdf.

[54] Khaled El Emam, December 5, p. 48.

[55] Melissa Bianchi, December 8, p. 6

[56] Khaled El Emam, December 5, p. 49.

[57] Khaled El Eman, December 5, p. 49

[58] Khaled El Emam, December 5, p. 49.

[59] Khaled El Emam, December 5, p. 49.

[60] Khaled El Emam, December 5, p. 49.

[61] Michelle De Mooy, December 5, p. 30.

[62] Khaled El Emam, December 5, p. 48.

[63] Khaled El Emam, December 5, p. 51-52.

[64] Michelle De Mooy, December 5, p. 29; Mark Savage, December 5, p. 38, 41; Fred Cate, December 5, p. 63.

[65] Fred Cate, December 5, p. 63.

[66] Stanley Crosley, PSWG Transcript 2015-01-26, p. 17 [hereinafter “January 26”].

[67] Stanley Crosley, January 26, p17.

[68] Richard Platt, December 5, p. 26.

[69] Mark Savage, December 5, p. 32.

[70] Fred Cate, December 5, p. 64; Robert Gellman, December 5, p. 64.

[71] Richard Platt, December 5, p. 10 (Additionally, offering a universal opt-out may be undesirable because it would introduce bias in research results, and thereby create unreliable answers from the data, which is a data quality concern).

[72] Fred Cate, December 5, p. 65.

[73] Fred Cate, December 5, p. 53/2513-14 (Throughout Workgroup discussions, people commented that consent places a significant burden for privacy on the individual; see Stanley Crosley, January 26, at 17; see also Deven McGraw, February 9, at 26).

[74] Robert Gellman, December 5, p. 65.

[75] Michelle De Mooy, December 5, p. 28.

[76] Michelle De Mooy, December 5, p. 28.

[77] Fred Cate, December 5, p. 53.

[78] See generally, http://www.healthit.gov/facas/calendar/2015/02/09/policy-privacy-security-workgroup.

[79] Transcript of PSWG Meeting (February 9, 2015), Andrei Stoica, p. 6 [hereinafter “February 9”].

[80] Andrei Stoica, February 9, p. 6.

[81]Andrei Stoica, February 9, p. 6.

[82] Andrei Stoica, February 9, p. 14.

[83] Denise Anthony, February 9, p. 10.

[84] Denise Anthony, February 9, p. 16.

[85] Denise Anthony, February 9, p. 10.

[86] Written testimony of Richard Platt, p. 4, http://www.healthit.gov/facas/sites/faca/files/PSWG_Background_Richard_Platt_Reply_to_Questions_for_Panelists_2014-12-05.pdf.

[87] Khaled El Emam, December 5, p. 51-52.

[88] Testimony of CDT for the HIT Privacy and Security Work Group Virtual Hearing (December 5, 2013), p. 3, http://www.healthit.gov/facas/sites/faca/files/PSWG_Testimony_Michelle_DeMooy_CDT_2014-12-05_0.pdf.

[89] Michelle De Mooy, December 5, p. 35.

[90] Michelle De Mooy, December 5, p. 34/1593, 1597-98

[91] Testimony of CDT for the HIT Privacy and Security Work Group Virtual Hearing (December 5, 2013), p. 3, http://www.healthit.gov/facas/sites/faca/files/PSWG_Testimony_Michelle_DeMooy_CDT_2014-12-05_0.pdf

[92] Testimony of CDT for the HIT Privacy and Security Work Group Virtual Hearing (December 5, 2013), p. 3, http://www.healthit.gov/facas/sites/faca/files/PSWG_Testimony_Michelle_DeMooy_CDT_2014-12-05_0.pdf.

[93] Michelle De Mooy, December 5, p. 29.

[94] Anna McCollister-Slipp, December 5, p. 35.

[95] Kirk Nahra, December 8, p. 16, 17.

[96] Ella Mihov, December 8, p. 30/138401387; 1413-1414

[97] Richard Platt, December 5, p. 10.

[98] Michelle De Mooy, December 5, p. 42.

[99] Khaled El Emam, December 5, p. 49.

[100] Richard Platt, December 5, p. 10h.

[101] Deven McGraw, December 8, p. 19/871

[102] Khaled El Emam, December 5, p. 49/2235-36

[103] Mark Savage, December 5, p. 30.

[104] Mark Savage, December 5, p. 30/1416-17

[105] Melissa Bianchi, December 8, p. 21.

[106] Michelle De Mooy, December 5, p. 46.

[107] See Anna McCollister-Slipp, December 5, p. 33; Michelle De Mooy, December 5, p. 37 (… people think … HIPAA really covers all medical data and have … no idea or understanding that it doesn’t in a lot of circumstances”); Michelle De Mooy, December 5, p. 37 (outreach is needed to app developers to ensure they understand their ethical responsibilities).

[108] Deven McGraw, HITPC Transcript, March 10, 2015, p. 19.

[109] Kirk Nahra, Slide Presentation, p. 6, available at: http://www.healthit.gov/facas/sites/faca/files/PSWG_Background_Kirk_Nahra_Health_Care_Privacy_Paradigm_2014-12-08.pdf

[110] Kirk Nahra, December 8, p. 11 (noting the explosion of data created by mobile applications, websites, personal health records, and wellness programs that are not subject to HIPAA).

[111] Anna McCollister-Slipp, December 5, p. 32.

[112] Anna McCollister-Slipp, December 5, p. 32.

[113] Anna McCollister-Slipp, December 5, p. 32.

[114] Anna McCollister-Slipp, December 5, p. 32.

[115] Melissa Bianchi, December 8, p. 5.

[116] Kirk Nahra, December 8, p. 19.

[117] Melissa Bianchi, December 8, p. 6.

[118] Kirk Nahra, December 8, p. 11.

[119] Kirk Nahra, December 8, p. 11.

[120] Kirk Nahra, December 8, p. 11.

[121] Kirk Nahra, December 8, p. 11, 12 (see also the discussion regarding the inability to define privacy harm, supra).

[122] Fred Cate, December 5, p. 53.

[123] Robert Gellman, December 5, p. 51.

[124] Deven McGraw, December 8, p. 9.

[125] Melissa Bianchi, December 8, p. 5; see also 45 CFR 164.501 (defining research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”); see also http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/research/.

[126] Deven McGraw, December 8, p. 8, 9.

[127] HITPC Transmittal Letter, October 18, 2011, available at: http://www.healthit.gov/sites/default/files/pdf/HITPC_Privacy_and_Security_Transmittal_Letter_10_18_11.pdf [hereinafter “October 18 HITPC Recommendations”]

[128] Deven McGraw, December 8, p. 8; see October 18 HITPC Recommendations.

[129]October 18 HITPC Recommendations.

[130] Michelle De Mooy, December 5, p. 28; Deven McGraw, December 8, p. 19.

[131] Kirk Nahra, Slide Presentation, p. 7, available at: http://www.healthit.gov/facas/sites/faca/files/PSWG_Background_Kirk_Nahra_Health_Care_Privacy_Paradigm_2014-12-08.pdf

[132] The Business of Federal Technology. http://fcw.com/articles/2014/05/13/fose-mosaic.aspx

[133] Harms identified in RWJF Report

[134] A Summary of Your Rights Under the Fair Credit Reporting Act, https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf.

[135] May 22, 2015 HITPC meeting. http://www.healthit.gov/facas/sites/faca/files/HITPC_PSWG_Meeting_Slides_2015-05-22_Final.pdf

[136] National Institute of Health. NIH Data Sharing Policy and Implementation Guidance http://grants.nih.gov/grants/policy/data_sharing/data_sharing_guidance.htm#enclave

[137] 8/16/2011 HITPC Transmittal Letter. http://www.healthit.gov/sites/faca/files/HITPC_PSTT_Transmit_8162011.pdf and May 22, 2015 HITPC meeting. http://www.healthit.gov/facas/sites/faca/files/HITPC_PSWG_Meeting_Slides_2015-05-22_Final.pdf

[138] Reference NIST evaluation of efficacy of de-identification effort.

[139] Khaled El Emam, December 5, p. 51

[140] See FTC Internet of Things Report, January 2015, p. 49.

[141]  8/16/2011 HITPC Transmittal Letter. http://www.healthit.gov/sites/faca/files/HITPC_PSTT_Transmit_8162011.pdf

[142] Stephen Downs, December 5, p. 20; Mark Savage, December 5, p. 31; D. McCallie, JR., December 8, p. 21.

[143] Testimony of CDT for the HIT Privacy and Security Work Group Virtual Hearing (December 5, 2013), p. 3, http://www.healthit.gov/facas/sites/faca/files/PSWG_Testimony_Michelle_DeMooy_CDT_2014-12-05_0.pdf.

[144] Testimony of CDT for the HIT Privacy and Security Work Group Virtual Hearing, p. 3.

[145] Michelle De Mooy, December 5, p. 30.

[146] Khaled El Emam, December 5, p. 48.

[147] See testimony of Ella Mihov (Ayasdi), December 8, p. 32, 36; see also, Kald Abdallah (Project Data Sphere, LLC), December 8, p. 31, 36.

[148] Richard Platt, December 5, p. 10.

[149] Melissa Bianchi, December 8, p. 6

[150] Richard Platt, December 5, p. 10.

[151] Khaled El Emam, December 5, p. 49.

[152] Khaled El Eman, December 5, p. 49

[153] Khaled El Eman, December 5, p. 49

[154] Khaled El Emam, December 5, p. 49.

[155] Khaled El Emam, December 5, p. 49.

[156] Khaled El Emam, December 5, p. 49.

[157] Khaled El Emam, December 5, p. 67 and Fred Cate, December 5, p. 67.

[158] Khaled El Emam, December 5, p. 66.

[159] Paul Wallace, December 8, p. 55.

[160] McCallie, Jr., December 8, p. 56.

[161] Khaled El Emam, December 5, p. 51-52.

[162] Khaled El Emam, December 5, p. 51-52.

[163] Michelle De Mooy, December 5, p. 29; Mark Savage, December 5, p. 38, 41; Fred Cate, December 5, p. 63.

[164] Fred Cate, December 5, p. 63.

[165] Michelle De Mooy, December 5, p. 28.

[166] Kirk Nahra, December 8, p. 11.

[167] Richard Platt, December 5, p. 26.

[168] Mark Savage, December 5, p. 32.

[169] Fred Cate, December 5, p. 64; Robert Gellman, December 5, p. 64.

[170] Richard Platt, December 5, p. 10 (Additionally, offering a universal opt-out may be undesirable because it would create unreliable answers from the data, which is a data quality concern).

[171] Fred Cate, December 5, p. 65.

[172]Fred Cate, December 5, p. 52

[173] Fred Cate, December 5, p. 52

[174] Fred Cate, December 5, p. 53 (Throughout Workgroup discussions, people commented that consent places a significant burden for privacy on the individual; see Stanley Crosley, January 26, at 17; see also Deven McGraw, February 9, at 26).

[175] Robert Gellman, December 5, p. 65.

[176] Robert Gellman, December 5, p. 66

[177] Stephen J. Downs, December 5, p. 15.

[178] See PSWG Meeting Slides, January 26, 2015, at 11, http://www.healthit.gov/facas/sites/faca/files/PSWG_Meeting_Slides_2015-01-26_v9.pptx.

[179] Andrei Stoica, February 9, p. 6.

[180] Andrei Stoica, February 9, p. 6.

[181]Andrei Stoica, February 9, p. 6.

[182] Andrei Stoica, February 9, p. 6.

[183] Andrei Stoica, February 9, p. 6.

[184] Andrei Stoica, February 9, p. 14.

[185] Andrei Stoica, February 9, p. 6.

[186] Andrei Stoica, February 9, p. 6.

[187] Andrei Stoica, February 9, p. 15, 21 (stating that “there is a huge impediment and huge cost differential for security, but as you go [down] a path to critical mass and you have a decent sized IT operation … then it becomes easier and easier….”).

[188] Andrei Stoica, February 9, p. 15.

[189] Denise Anthony, February 9, p. 10.

[190] Denise Anthony, February 9, p. 16.

[191] Denise Anthony, February 9, p. 10.

[192] Written testimony of Richard Platt, p. 4, http://www.healthit.gov/facas/sites/faca/files/PSWG_Background_Richard_Platt_Reply_to_Questions_for_Panelists_2014-12-05.pdf.

[193] Khaled El Emam, December 5, p. 54.

[194] Testimony of CDT for the HIT Privacy and Security Work Group Virtual Hearing (December 5, 2013), p. 3, http://www.healthit.gov/facas/sites/faca/files/PSWG_Testimony_Michelle_DeMooy_CDT_2014-12-05_0.pdf

[195] Fred Cate, December 5, p. 69.

[196] Fred Cate, December 5, p. 69.

[197] Testimony of CDT for the HIT Privacy and Security Work Group Virtual Hearing, p. 3.

[198] Michelle De Mooy, December 5, p. 28.

[199] Michelle De Mooy, December 5, p. 29.

[200] Michelle De Mooy, December 5, p. 29.

[201] Michelle De Mooy, December 5, p. 29.

[202] Anna McCollister-Slipp, December 5, p. 35.

[203] Denise Anthony, February 9, p. 13.

[204] Kirk Nahra, December 8, p. 16, 17.

[205] Ella Mihov, December 8, p. 30.

[206] Richard Platt, December 5, p. 10.

[207] Michelle De Mooy, December 5, p. 42.

[208] Michelle De Mooy, December 5, p. 42.

[209] Khaled El Emam, December 5, p. 49.

[210] Michelle De Mooy, December 5, p. 44.

[211] Khaled El Emam, December 5, p. 49.

[212] David McCallie, December 8, p. 21.

[213] Stephen Downs, December 5, p. 21.

[214] Stephen Downs, December 5, p. 21.

[215] Fred Cate, December 5, p. 53.

[216] Melissa Bianchi, December 8, p. 21.

[217] Michelle De Mooy, December 5, p. 46.

[218] See Anna McCollister-Slipp, December 5, p. 33; Michelle De Mooy, December 5, p. 37 (… people think … HIPAA really covers all medical data and have … no idea or understanding that it doesn’t in a lot of circumstances”); Michelle De Mooy, December 5, p. 37 (outreach is needed to app developers to ensure they understand their ethical responsibilities).

[219] Deven McGraw, HITPC Transcript, March 10, 2015, p. 19.

[220] Kirk Nahra, Slide Presentation, p. 6, available at: http://www.healthit.gov/facas/sites/faca/files/PSWG_Background_Kirk_Nahra_Health_Care_Privacy_Paradigm_2014-12-08.pdf

[221] Kirk Nahra, December 8, p. 11 (noting the explosion of data created by mobile applications, websites, personal health records, and wellness programs that are not subject to HIPAA).

[222] Anna McCollister-Slipp, December 5, p. 32.

[223] Anna McCollister-Slipp, December 5, p. 32.

[224] Anna McCollister-Slipp, December 5, p. 32.

[225] Anna McCollister-Slipp, December 5, p. 32.

[226] Melissa Bianchi, December 8, p. 5.

[227] Kirk Nahra, December 8, p. 19.

[228] Melissa Bianchi, December 8, p. 5.

[229] Kirk Nahra, December 8, p. 11.

[230] Kirk Nahra, December 8, p. 11.

[231] Kirk Nahra, December 8, p. 11.

[232] Kirk Nahra, December 8, p. 11, 12 (see also the discussion regarding the inability to define privacy harm, supra).

[233] Kirk Nahra, December 8, p. 18.

[234] Kirk Nahra, December 8, p. 17, 18.

[235] Fred Cate, December 5, p. 53.

[236] Robert Gellman, December 5, p. 51.

[237] Melissa Bianchi, December 8, p. 5; see also 45 CFR 164.501 (defining research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”); see also http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/research/.

[238] Deven McGraw, December 8, p. 8, 9.

[239] Deven McGraw, December 8, p. 9.

[240] Deven McGraw, December 8, p. 9.

[241] HITPC Transmittal Letter, October 18, 2011, available at: http://www.healthit.gov/sites/default/files/pdf/HITPC_Privacy_and_Security_Transmittal_Letter_10_18_11.pdf.

[242] Deven McGraw, December 8, p. 8; see October 18 HITPC Recommendations.

[243]October 18 HITPC Recommendations.

 [DM1]I thought we cited a definition above – aren’t we talking about the difficulty of setting parameters around which type of big data we’re trying to address?

 [SC2]In volume, or analytics – growth of what?

 [SC3]I’m not sure I’m following this sentence, my apologies

 [DM4]This needs to be fixed – doesn’t take into consideration FTC’s unfairness jurisdiction. 

 [DM5]What does this have to do with gaps in HIPAA?  If a HIPAA CE is collecting it, it is probably PHI even if not health data on its face…

 [DM6]Overall, we need a better intro here.  Essentially what follows is a distillation of the problems that the PSWG decided needed to be prioritized, since what is below is somewhat repetitive of – and more narrow then – what was above. 

Need Help with Your Assignment? Let us Help you

Place Your Order

We guarantee you the following if you order your paper with us

High Quality Papers

All papers are written by ENL (US, UK, AUSTRALIA) writers with vast experience in the field. We perform a quality assessment on all orders before submitting them.

Timely Delivery

Do you have an urgent order?  We have more than enough writers who will ensure that your order is delivered on time. 

100% Original

We provide plagiarism reports for all our custom written papers. All papers are written from scratch.

24/7 Customer Support

Contact us anytime, any day, via any means if you need any help. You can use the Live Chat, email, or our provided phone number anytime.

Confidential and Secure

We will not disclose the nature of our services or any information you provide to a third party.

Stressed? We got you covered

Money-Back Guarantee

Get your money back if your paper is not delivered on time or if your instructions are not followed.

We Guarantee the Best Grades

Get a Professional Answer