Big Health Data: Top Privacy, Security ConsiderationsPrivacy Attorney Iliana Peters of Polsinelli Discusses Critical Concerns
Many healthcare providers, health plans, business associates and similar organizations are undertaking big health data initiatives involving the collection, analysis and sharing of large volumes of health data.
Their potential is a better understanding of clinical care outcomes, ways to reduce healthcare costs, and the exploration of new medical discoveries, but they also come with critical privacy and security caveats that must be carefully addressed, says privacy attorney Iliana Peters of the law firm Polsinelli.
"Just putting these large amounts of data together isn't necessarily problematic because obviously we have good intentions … But they have in a lot of ways unintended consequences or unintended risks."
While contractual agreements usually spell out restrictions on how certain aggregated data sets can be collected and used, federal regulations, such as HIPAA, as well as various state laws, also set different requirements on how that data must be kept private and secure, she says.
And there are cyber risk issues that need to be addressed, she adds.
"If we are putting together large aggregated data sets, that can be a very attractive target for threat actors," Peters says. "If they can steal large data sets, then perhaps they can make money by ransoming the entity that holds those data sets."
In the interview (see audio link below photo), Peters also discusses:
- Considerations involving de-identified and anonymized data versus identifiable health information;
- Potential breach concerns involving big health data projects and data-sharing agreements;
- Other top privacy and security issues involving big health data warehousing and data sharing.
Peters is a Polsinelli law firm shareholder and an attorney in its national healthcare operations practice. She previously spent more than a decade at the Department of Health and Human Services' Office for Civil Rights, including as the acting deputy director of health information privacy and as the senior adviser for HIPAA compliance and enforcement. Before joining the OCR team in Washington, Peters worked as an investigator in OCR's Dallas regional office.