Big Data in Health Care:

Rewards and Risks

Daniel J. Weissburg, JD, CHC, Privacy Officer, UW Health

Molly R. Berkery, JD, MPH, Godfrey & Kahn, S.C.

Outline

Big Data in Health Care

Impetus

Benefits & Potential Outcomes

Research and Development Initiatives

Regulation

Challenges

Impetus for Big Data in Health Care

Impetus

United States Health Care Costs

Per capita national health expenditures: $9,255 (2013)

Total national health expenditures: $2.9 trillion (2013)

Total national health expenditures as a percent of Gross Domestic Product: 17.4% (2013)

Health care delivery

Fee-for-service -> value-based

Clinical trends

Pharmaceutical and medical device industry

Potential monetary value to the US health care system

Centers for Disease Control and Prevention, Health Expenditures, 2013.

Potential Benefits & Outcomes of

Big Data in Health Care

Benefits of Big Data in Health Care

Increase transparency

Improve patient outcomes

Nuances in subpopulations may be so rare that they are not readily

apparent in small samples

Predictive analytics

Reduce health care costs

Research and development

Pharmaceutical and medical device industry

Smart phone applications

Examples of Early Successes

The University of Ontario’s Institute of Technology developed predictors of the onset of nosocomial infections of neonatal intensive care newborns.

Brigham and Women’s Hospital in Boston developed standardized knee joint-replacement surgery.

Kaiser Permanente connected clinical and cost data leading to the discovery of adverse drug effects and the subsequent withdrawal of the drug Vioxx from the market.

Johns Hopkins School of Medicine - data from Goggle Flu Trends allowed prediction of surges in flu-related emergency room visits a week prior to other sources.

Research and Development

Initiatives

United States Office of Science and

Technology Policy (OSTP)

Goal: Make the most of the fast growing volume of digital data.

Transform the use of big data for scientific discovery.

Environmental/Biomedical research.

Education and national security.

Six federal departments and agencies committed $200M:

To advance, analyze, and share big data.

To harness the technology to increase discovery rates.

To expand the workforce using and developing these technologies.

Innovation

GPS-enabled asthma inhaler

GPS-enabled tracker that records inhaler usage by asthmatics (data merged with

CDC data on asthma catalysts to assist with the development of personalized

treatment plans and spot prevention opportunities).

Behavioral health smart phone app

Ginger.io uses information from a patient’s smartphone app to help providers

manage patient care and detect changes in behavior and health.

Physical activity tracker – the new medical device?

Spire – an app that senses and tracks physical movement, position and breathing

patterns to help individuals boost activity, relaxation and focus. Spire has

considered getting FDA approval as a true medical device.

Regulation of Big Data

Regulation of Big Data

Is health care behind in the big data revolution due to regulatory hurdles?

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

Breach Notification Rule

Blanket prohibition on the sale of PHI (with specific exceptions)

Prohibition of compound authorization (with specific exceptions)

De-identification requirements

The Health Information Technology for Economic and Clinical Health (“HITECH”)

Increases the scope of privacy and security of health information under HIPAA.

Increases the potential legal liability for non-compliance and provides more enforcement of HIPAA rules.

Regulation of Big Data

Affordable Care Act

Meaningful use incentives

“[e]lectronically capturing health information in a standardized format” and “[i]nitiating

the reporting of clinical quality measures and public health information.”

“rigorous health information exchange,” “[e]lectronic transmission of patient care

summaries across multiple settings,” and "patient-controlled data.”

“access to comprehensive patient data through patient-centered [health information

exchange].”

Regulation of Big Data

Other legal considerations

Mobile health uses of big data and FDA regulation

Genomic and biometric big data

Health insurance and discrimination

Government use of big data

State law considerations

Ethical considerations

Research ethics

Challenges

Compliance Challenges

Technical

Institutional

Operational

Legal

Data Breaches

Not a new issue

Growing level of patient awareness & fear

Cyber-risk liability and insurance

Privacy/Security issues

Lack of safeguards of protected health information.

Lack of administrative safeguards of electronic protected health

information.

Use of public cloud services.

Largest (Health Care) Breach

- Office for Civil Rights, US Dept. of Health and Human

Services

Top 10 Health Care Provider Breaches

Top 10 Health Care Provider Breaches

New York Presbyterian

Hospital/Columbia University

College of Physicians and Surgeons

A CASE STUDY

NY Presbyterian/Columbia

Columbia University College of Physicians and Surgeons:

655 Students

$1.46 billion annual budget

$1.6 billion endowment

First MD graduate in 1769

New York Presbyterian Hospital:

2,478 beds (six locations)

$4.3 billion annual revenue (2013)

6th on America’s Best Hospitals (U.S. News)

NY Presbyterian/Columbia

Physician had a personally-owned computer server on

the network containing NYP patient PHI.

Due to a lack of technical safeguards, PHI was accessible

on internet search engines, including Google.

An individual found the PHI of their deceased partner, a

former patient of NYP, on the internet and complained.

Breach report to HHS – Office for Civil Rights (OCR)

regarding the disclosure of the PHI of 6,800 individuals,

including patient status, vital signs, medications, and

laboratory results.

NY Presbyterian/Columbia

Neither entity:

made efforts prior to the breach to assure that the network was secure and that it

contained appropriate software protections.

had conducted an accurate and thorough risk analysis that identified all systems

that accessed PHI.

had developed an adequate risk management plan that addressed the potential

threats and hazards to the security of PHI.

NYP failed to implement appropriate policies and

procedures for authorizing access to its databases and

failed to comply with its own policies on information

access management.

NY Presbyterian/Columbia

NYP and Columbia agreed to settle charges that they

violated HIPAA

NYP paid $3.3 million

Columbia paid $1.5 million

LARGEST HIPAA SETTLEMENT TO DATE

(5/2014)

NY Presbyterian/Columbia

Both NYP and Columbia agreed to a 3 year Corrective Action Plan, which includes:

Undertaking a risk analysis

Developing a risk management plan (submitted to the OCR for approval)

Revising policies and procedures (submitted to the OCR for approval)

Training staff (within 30 days and annually)

Providing incident and annual progress reports to the OCR

Deep violation of patient privacy

Massive reputational harm to both entities

High cost of privacy/data security compliance, on a compressed time table

“Strategic Prosecution”

Data breaches are a risk for all “HIPAA Covered Entities.”

But if you are big, famous and renown, with words like

“University of Wisconsin” in your name……

High profile means big headlines, and big headlines have

big impact, and big impact is what government enforcers

want.

Wisconsin

Wisconsin

Wisconsin

Additional Security Concerns

Cyber-attacks – the number one cause of data breaches,

and typically multi-staged attacks.

Cloud computing begins with social engineering.

Questions

Contact Information

Daniel J. Weissburg, JD, CHC

Compliance Officer - UW Hospitals

Privacy Officer - UW Health

University of Wisconsin Hospitals

and Clinics Authority

DWeissburg@UWHealth.org

Molly R. Berkery, JD, MPH

Attorney

Godfrey & Kahn, S.C.

MBerkery@gklaw.com