Approaching Integrated Health Information Databases in 2019 — Data-Sharing , Clinical, Quality, and Research Collaboration
For a number of years, a variety of industries have faced the challenge of gathering, storing, and utilizing large collections of data. For the health care industry, the multiple, overlapping regulations governing the use and disclosure of patients’ health information compounds these challenges. Further, health systems increasingly have access to a robust array of data, both through an improved ability to collect and store data internally and through collaborations with other providers and payors via the development of accountable care organizations, clinically integrated networks, health information exchanges, value-based payment arrangements, and more. At the same time, new techniques to process and analyze this data have introduced opportunities to use this data for clinical and population health improvement, quality assurance/quality improvement activities, research, business operations, and many other functions vital to improving patient health and the cost and quality of health care.
These varied opportunities that are possible though sharing integrated data sets exist in parallel with a complex and shifting regulatory landscape. Numerous changes to the Federal Policy for the Protection of Human Subjects (known as the “Common Rule”) went into effect on January 21, 2019, bringing a slew of new provisions concerning secondary research and patient consent requirements for applicable institutions. The Office for Civil Rights recently issued a request for information that could generate multiple regulatory changes to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Regulations governing the sharing of substance use disorder records of applicable providers, located at 42 C.F.R. Part 2 (“Part 2 regulations”), were updated in 2017 and additional changes may be coming in 2019. These developments come alongside multiple state law changes, an evolution in social thinking regarding privacy and data ownership, and international changes, highlighted by the dramatic shift in data-sharing requirements to companies conducting business in the European Union with implementation of the General Data Protection Regulation in 2018.
Inevitably, there is significant tension between progress in sharing and using data for the improvement of health, quality, and patient outcomes and the complex, shifting, and overlapping regulatory regimes. To succeed in such an environment, there are a few crucial foundational requirements health systems and hospitals should be prepared for when engaging in integrated data-sharing collaborations:
- Foster Internal or External Resources to Monitor and Apply the Overlapping Regulatory Frameworks. A foundational requirement to successful data sharing is having a firm understanding of the multiple intersecting and evolving regulatory frameworks governing the use and sharing of health data. While this starts with understanding HIPAA’s provisions on the use and disclosure of protected health information, multiple other state and federal requirements can be triggered as well. These include Common Rule requirements for secondary research, Part 2 regulations on substance use disorder records, Food and Drug Administration patient consent requirements for applicable research, and fraud and abuse laws, as well as National Institute of Health policies, state laws, and other parameters when dealing with genetic information or biosamples. Factors such as who is sharing the data, who is using the data, how the data is being used, where the data is used, and what type of data it is all affect the scope of regulatory requirements associated with data sharing among multiple health care entities.
- Consider the Types of Data Being Collecting and the Scope of Possible Secondary Uses at the Onset. Because the regulatory requirements for using and disclosing data for secondary purposes vary significantly based on the types of data and the type of use, thinking through anticipated future uses up front can help ensure that appropriate privacy and security protocols are incorporated as an integrated health information database is developed. For example, if patient authorization will be necessary to permit certain proposed uses, the participating health systems will need to coordinate the collection of such authorizations. Likewise, review by a HIPAA privacy board or institutional review board may be required for proposed uses or possibly for the development of the integrated database itself. If the sensitive data types will be included within the universe of what is being shared (e.g., genetic data, substance use disorder data), upfront break-the-glass protections within electronic health records, or other data security measures, may be needed to prevent the comingling of sensitive data that could be subject to more restrictive sharing requirements.
- Ensure Up-Front Alignment in the Expectations of Data-Sharing Partners. When data is shared bi-directionally among multiple health care providers, payors, and other groups, there are a number of contractual and practical considerations that have the potential to be overlooked in a desire to get an arrangement in place and operational. A few key considerations include, for example:
- Which party is responsible for collecting, storing, and managing the data in a compliant and secure manner?
- How will liability for potential data breaches or impermissible uses be assigned?
- Whether participating institutions may engage in secondary research with the shared data, and, if so, who will oversee that research, and how will ownership of any results of research be allocated?
- Will shared data be de-identified, and if so, how, by whom, and for what purposes?
- How will participating health systems align their notices of privacy practices, participation agreements, and business associate agreements regarding use of shared data for secondary purposes?
- Frequently Reassess Expectations, Outcomes, and Agreements. The technological capabilities, regulatory parameters, and social norms governing the use and disclosure of health data will continue to evolve. This demands diligence not just when collaborative arrangements are set up, but on an ongoing basis to be able to adjust to these developments. This includes regular level setting of both external and internal expectations. For example, the line between what constitutes quality improvement activities and what constitutes research activities is not always well defined. As new innovative approaches to data are developed, there is the potential that activities can cross the line into research, bringing a host of new regulatory and contractual requirements. It may often fall on the legal or risk management department of a health system to anticipate and assess these developments to ensure continued regulatory and contractual compliance.
An overarching theme of these principles is that having an experienced team available to work through integrated data-sharing projects as early in the process as possible can be of upmost importance to avoid regulatory roadblocks as projects develop and evolve. These regulatory regimes can carry stiff penalties for noncompliance. For example, under HIPAA, improper disclosure of protected health information or other types of noncompliance can result in the Office of Civil Rights imposing corrective action requirements or substantial civil monetary penalties. Likewise, under the Common Rule, the federal government or an institutional review board can terminate or suspend research projects if it finds noncompliance with Common Rule requirements. Violations of Part 2 regulations can carry criminal penalties.
Richard Church, a partner at K&L Gates LLP, will be presenting on a discussion about experiences in addressing integrated data-sharing challenges at the upcoming American Health Lawyers Association Physicians and Hospitals Law Institute program, taking place February 4–6, 2019, in San Antonio, Texas. Throughout 2019 and beyond, K&L Gates will continue to closely monitor and report on key regulatory developments in this area.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.