Today, we are excited to welcome Dr. Daniel Barth-Jones and Dr. Patrick Baier to Datavant’s Privacy Hub team, which is dedicated to protecting the privacy of patient data throughout the healthcare system. Dr. Barth-Jones and Dr. Baier join Dr. Colin Moffatt and a team of over thirty leading experts in privacy risk assessment, and together bring decades of expertise in cryptography, privacy risk assessment and mitigation, and HIPAA expert determination.
In this post, we’ll walk through what’s motivating this “Dream Team,” what the current privacy landscape looks like, and where we go from here.
Why Protecting Patient Privacy is Critical to Connecting the World’s Health Data
Datavant’s mission is to connect the world’s health data to improve patient outcomes.
Patients benefit in several ways when responsible data is utilized effectively. Patients benefit when biopharma companies build real world datasets in order to accelerate the development of oncology drugs. They benefit when leading medical societies invest in building high-grade registries to enable research into a particular disease, and when analytics companies use real world data to expedite recruitment for clinical trials for rare disease patients.
However, all of these benefits come with corresponding risks to patient privacy. As every Chief Privacy Officer knows, de-identification is not a magic solution that will guarantee the protection of patient privacy in every context. In addition to removing or modifying elements in the data, to be effective, quality de-identification requires technical and administrative controls around the use of that data, as well as considering what other data is reasonably available that could introduce re-identification risk to the patients in the dataset. The good news is that we can provide robust privacy protections to help ensure that patient information isn’t compromised and that patients, and science, benefit from the increased use and connectivity of health data.
While preserving privacy is critical to comply with the law (specifically, HIPAA, the Health Insurance Portability and Accountability Act of 1996), at Datavant, we think of privacy more broadly. Protecting patient privacy is essential to creating a foundation of trust for de-identified data that is being used to advance research and care and to protect data from misuse. We can’t build the data-driven learning healthcare system of the future without significant investment in the tools, systems and processes to protect patient privacy throughout that healthcare system.
The Current Privacy Landscape
Today, we often talk about the tradeoff between protecting patient privacy and maximizing the utility of patient data. As Travis noted in his initial Privacy Hub post, when we do so, we implicitly assume that we’re on an efficient frontier — where we’ve already optimized for both patient privacy and data utility, and getting more of one necessarily means getting less of the other.
In reality, we’re nowhere near the efficient frontier today, and the development of new privacy-preserving technologies means that it will be possible to maximize protections for patient privacy and greater data utility in the future.
Consider that today billions of identified patient records are sitting in decentralized databases and systems throughout the U.S., and one of these systems is breached almost every single day. In the instances when organizations do attempt to encrypt or de-identify patient information, they often do so using internal methods that are well-intentioned, but don’t always offer robust protections for the underlying data. Data that goes through the formal process of having re-identification risk assessed by a third-party statistical expert under HIPAA represents a small fraction of all health data in the U.S., and that process itself is being strained by greater data connectivity and the introduction of novel data types (unstructured data, genomic data, social determinants data, imaging data, etc.).
Given the current state, there is a massive opportunity to build tools, systems and processes to ensure that patient privacy is more rigorously protected throughout the industry. What this means is that data can be connected and used more frequently, leading to greater benefits for patients and preserving those patients’ privacy.
Where We Go From Here
As a starting point, there is a clear opportunity to make the HIPAA expert determination process much more technology-enabled, standardized and efficient than it is today. Dr. Barth-Jones, Dr. Baier, Dr. Moffatt and our team of more than thirty privacy experts have collectively assessed the privacy risk of thousands of healthcare datasets. All share the conviction that, while independent human expert judgment is critical, there is an enormous opportunity to streamline and then automate significant parts of the process in ways that will both accelerate the expert determination process and ensure more robust protections for patient privacy going forward.
Based on that core belief, we’re excited to let you know that our team’s immediate goals are to create:
- Lower risk of re-identification across the industry
- Expert determination processes that take hours, not weeks or months
- Privacy-preserving technologies to allow novel linkages, including unstructured data, genomic data, and beyond.
Datavant is uniquely well-positioned to develop these capabilities and make them available to the industry at large. In order to connect the world’s health data, Datavant has built trusted, neutral and ubiquitous infrastructure for its customers, who use those capabilities to build innovative products and deliver groundbreaking insights. The vision of Privacy Hub is to make these advanced privacy-preserving capabilities part of this shared infrastructure, and we look forward to working with Dr. Barth-Jones, Dr. Baier, Dr. Moffatt and a “Dream Team” of experts to carry this vision forward.