By MARIE COPOULOS

I’ve had the great fortune of spending much of my career at the intersection of health care innovation and the underlying data that drives new models.

For those of us who’ve worked in this space for a long time, there’s a certain pattern recognition that comes with this work that is often immediate and obvious – both in terms of really cool developments but also gotchas. “Ah, you’re stumbling here. Everyone does that.”

The challenge, I’ve found, is that these ‘gotchas’ that can be so visible to the folx who’ve worked in health tech for the past few decades can be counterintuitive in the business and even met with resistance. Why?

I’m going to focus here on pattern recognition, with the goal of highlighting common stumbling blocks and, critically, ways you can interrupt them if you see them.

Pattern #1: Lacking a Clear-Eyed View of Market Data Gaps
Key Question: Do you understand how the market you’re in informs your ability to measure your work and use data to drive insight?

For those of you building models that change the status quo – this is for you. By nature these innovations break from existing care and financial models with the goal to improve them. We need this in health care. However, it’s common to overlook the fact that breaking with the status quo also breaks with the ways that we capture and serve up health data.

To this end, don’t assume you will be able to measure and show success, and that the data you need must be out there. The true differentiator is for both to align. Design with intention.

If you’re at the stage of thinking about a productized solution to a health care problem, then it is also the right time to look at the market with a lens toward data availability. In your problem space, what’s the data set you’re likely to lean on? Is it sufficient?

If the answer is that the data is not available or notoriously problematic in your market space for the problem you’re solving, this merits a pause. Can you find a way to survive in this reality? Can you create the data set you need? Can you adjust what you’re doing in some way to align with what is available? Is qualitative feedback ok?

Pattern #2: Accumulating Non-Technical Roadblocks Key Question: Do you have a good handle on the non-technical challenges impacting your data business?

A decade ago I would have approached this question differently. Technical challenges were often paramount as we tried to figure out how to solve the basics. Today, however, it’s often the opposite, in that business challenges are more likely to slow down technical progress than the other way around.

What do I mean by that? Most frequently I see organizations stumble on things like data acquisition, partnerships, and the right strategic vendor choices and these stumbles manifest in increasing technical debt that grind teams and reduce productivity.

In new models and approaches, in particular, there are often many players involved, eager to try something new. Because you’re doing something new, by design you won’t know all the stumbling blocks. What matters is not that you know what they are, but that you have good governance that allows you to work through these issues together.

It’s not that the problems are insurmountable, but the question of who is going to spend limited resources, in what order, on these very hard problems. Who owns that work and that risk? Who makes decisions? Think about this early.

Pattern #3: Lack of Focus
Key Question: Do you know what pieces of information provide disproportionate value?

There are many kinds of healthcare data (claims, EMR, ADT, pharmacy, labs, etc). Those different sources shine light on the same patient events–a single visit results in little bits of a story that are captured in many electronic systems.

Often talking about different data types feels wildly obscure. But, if there’s one concept to center on as a business leader, it’s getting to the bottom of this question: what are the pieces of information that are disproportionately valuable to run your business?

Some of the most value-add businesses in health care, in my view, have figured out how to narrow in on a piece of information (readmissions, medication fills) that is scalable and hyper focus on consistently improving on the patient and clinician experience, and outcome.

This reflects the reality of our industry today. Because health care data is messy and inconsistent, it takes a lot of work to get into usable forms. Absent that work, this information can be confusing, contradictory, and too frequently – noise.

Until we hit the point where this is not quite so hard, make sure you know what kind of business you are and where you want to invest your resources. From an infrastructure and product perspective, a business powered by a narrow insight looks different from a business powered by a holistic, normalized view of a patient. Which are you?

Pattern #4: Short-Term Wins that Don’t Build

Key Question: Do you feel comfortable with the tension between short-term wins and long-term wins and do you have an open conversation with your team on this topic?

This manifests in a couple ways. One is short-term wins that don’t build, and the other is a focus on long-term goals exclusively with unrealistic timelines. These problems are certainly not counterintuitive, but they are hard to interrupt and one of the reasons we see so much churn, burnout, and disappointment in major launches. My advice: aggressively look for ways to build in small, additive steps. 

An example: It’s really common in a new model to build a partnership to access information to provide a broader view of a patient population. Depending on the problem, you might find local, regional or national entities to support you in finding the right information.

A short-term win might have you build a partnership with a provider of that information with the goal of a quick win. However, these are the kinds of decisions that often weigh on technical teams in the long-term as they manage many partnerships and many interfaces, and in fact the cumulative effect can be devastating to productivity and innovation. It’s not just the weight of managing one-off work, but the sense of loss of having to rebuild again and again.

Building in an additive way takes a little extra time at the start, but reduces waste over time.  Consider how any small project will serve future efforts (i.e. is this a partnership that scales, contractually and technically?). These small wins build momentum and collective capacity.

Pattern #5: Siloed Technical Teams
Key Question: Do you have a good sense of what motivates your team to solve hard problems for you? 

Choosing to work in health care data means choosing to work in one of the most challenging technical segments – because of the weight of regulations, messy data, and old infrastructure. In my experience, a common motivator is mission. In the teams I’ve built, there is a palpable drive to help patients and improve systems for the better.

If I leave you with one point, it would be not to overlook this connection to mission and sense of belonging to the team that is helping improve patient lives. Yes, fair compensation and good benefits and work-life balance all matter. But, don’t forget ‘why’ these talented technical team members are sitting at your table, frequently doing work that is technically below their capabilities.

Ask them what makes them feel informed and connected to the whole. It will make it collectively easier to solve the messy, hard problems together.

Marie Copoulos, MS, is a public health professional and long-time health executive working at the intersection of analytics, population health, and climate. (She previously published on THCB under the name Marie Dunn).

Knowledge is power. If this adage is true, then the currency of power in the modern world is data. If you look at the evolution of the consumer economy over the past 100 years, you will see a story of data infrastructure adoption, data generation, and then subsequent data monetization. This history is well told by Professors Minna Lami and Mika Pantzar in their paper on ‘The Data Economy’: “Current ‘data citizenship’ is a product of the Internet, social media, and digital devices and the data created in the digitalized life of consumers has become the prime source of economic value formation. The database is the factory of the future.” If we look no further than the so-called big tech companies and distill their business models down in a (likely overly) reductionist fashion: Apple and Microsoft provide infrastructure to get you online, and Facebook (Meta) and Google collect your data, while providing a service you like, and use that data to sell you stuff. Likely none of this is surprising to this audience, but what is surprising is that this playbook has taken so long to run its course in one of the world’s largest and most important sectors: healthcare.

Given the potential impact data access and enablement could have on transforming such a large piece of the economy, the magnitude of the opportunity here is — at face value — fascinating. That said, healthcare is a different beast from many other verticals. Serious questions arise as to whether target venture returns can be extracted in this burgeoning market with the scaled incumbents (both within and outside healthcare) circling the perimeter. Additionally, this is a fragmented ecosystem that has existed (in its infancy) for a few years now with well-funded players now solving for different use cases. Thus, another question emerges as to which areas are best suited for upstarts to capitalize. A key theme in our assessment of the space is that regulation is driving the move towards democratized data access in healthcare, but unlike in regulatory shake-ups of the past, this time start-ups will benefit more than scaled incumbents. Furthermore, we have identified some areas within each approach to this new ecosystem that particularly excite us for net new investment. Let’s dive in.

Why This Time is Different: Regulatory + Market Dynamics

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 brought about an explosion of digital healthcare data by expanding adoption of electronic medical records from ~12% to 96%.

While the primary user of the EMR is the practicing physician in their journey of care delivery, today, there is increasingly demand from other stakeholders in the care ecosystem for the insights that these records hold and hence, the need for a marketplace for this data. Payers want access to the records to help with member population health analytics and risk adjustment. Life sciences companies want access to the records to power real-world data / real-world evidence initiatives for drug discovery and development and patient engagement. Digital health start-ups want access to the records largely to help you manage your specific conditions.

Hiding behind The Health Insurance Portability and Accountability Act of 1996 (HIPAA), EMR vendors and provider organizations have restricted access to this data to retain and entrap the patient base and maintain ownership of a valuable data asset. As of November 2021, at least 70% of healthcare providers still exchange medical information by fax because historically there has been no option to send EMRs using modern internet services.

Even if data sharing is enabled, real challenges persist to accessing longitudinal data for both a patient’s and a population’s health history. While de-identified data can be obtained through business service agreements with data owners and individual patient data can be accessed via consent / permissioned logins to online provider portals, there are few, if any, ways to obtain this data on an aggregated basis across multiple patients and provider organizations. Additionally, challenges to data connectivity, standardization and format integrity exist inside healthcare organizations, which largely house data in disparate internal siloes. As a result, crucial healthcare data that could be used to improve care has been locked in these disconnected, suboptimal record systems.

21st Century Cures Act of 2016 (and related regulations) enabled information sharing, making “sharing electronic health information the expected norm,” thus limiting EMR vendors’ (and other stakeholders’) ability to block the flow of information. A series of related regulations continue to be rolled out to encourage this connected end-state.

The difference this time: at the passing of the HITECH Act, Meditech, Epic, and Cerner had been around for at least 30 years. Hence, these incumbents were well-positioned to fulfill the compliance requirements for the HITECH act and emerged as major winners. As to the proof-points: Meditech approaches half a billion in sales, Epic generated $3.8B in revenue in 2021, and Cerner was acquired for $28B in 2022.

Conversely, in 2016, there were virtually no scaled rails to enable data exchange, integration and sharing in an elegant user interface, especially for stakeholders outside of the provider organizations. In the instance of the 21st Century Cures Act, the rules actually largely pre-dated the required infrastructure.

The question we are exploring is: Will the value created by these rules accrue to scaled incumbents as it did in the wake of the HITECH Act?

Ben Thompson argues in this piece that for consumer/ big tech, this is true. He makes a good case here that today’s cloud and mobile companies — Amazon, Microsoft, Apple, and Google — much like the automotive giants — GM, Ford, and Chrysler — will dominate the market.

There is reason to believe this is possible. After years of seemingly fighting interoperability, the incumbent EMRs are beginning to play ball. As proof-points, Cerner, Allscripts, and athenahealth are founding members of the CommonWell Health Alliance, and Epic is planning to join TEFCA and launched a connection hub to allow any vendor with a connection to Epic to list their app and self-report if they have achieved successful data exchange. Incumbents from outside the healthcare ecosystem (largely from our parallel consumer data story) are swooping in as well. AWS, Google, and Microsoft have all launched healthcare cloud services platforms to help with data normalization and sharing. Apple is offering its HealthKit APIs to help developers access healthcare data for the purpose of creating apps for its iOS and watchOS. Oracle’s acquisition of Cerner is also relevant here by moving healthcare data to the cloud for easy access and sharing.

That said, there is reason to believe these scaled players will struggle. Google, Amazon, and Microsoft have all encountered issues in their pursuit of healthcare profits. While Epic and Cerner have partnered up with big tech (Google and Oracle, respectively) in the wake of the new regulations, early indications show challenges in these relationships.[1] Additionally, the incentive structure for incumbent EHR vendors providing access to the underlying data held by their provider customers is questionable at best. It is also worth noting that, while the duration of the current macro headwinds for the enterprise technology sector is unclear, it is not a stretch to imagine these companies will prioritize their core businesses in the near term. This dynamic, in our view, presents opportunity for upstarts to build both the infrastructure and apps needed for a new era of connected digital health.

Where to Focus / Zooming in: Select Areas of Interest in Healthcare Data

The below captures our take on the current state of play with respect to the different models tackling this problem of healthcare data access.[2] [3]

The above healthcare data category that has (arguably) seen the best outcomes to-date is the net new data generators. These businesses often provide a useful product or service in exchange for rights to and the ability to monetize the underlying data collected. This is not unlike the ad revenue business model in the consumer data economy where consumers are incentivized to contribute their data in exchange for a product/service (often free). For example: Tempus has reportedly raised $1B+ in funding and recently inked pharma deals representing a reported approximately $700M in revenue over the next few years for its combined sequencing + data platform. Evidation has reportedly raised $250M+ in funding around its two-sided consumer-pharma research platform. Perhaps the posterchild of this model, and the entire healthcare data movement, thus far is the oncology-focused Flatiron Health. Flatiron’s OncoEMR is becoming the market leader for oncology practices, plus its others software applications (for example: Flatiron Assist and OncoTrials) are helping make cancer treatment providers much more efficient. In addition, Flatiron delivers data generated at the point of care to help the life sciences community develop new cancer drugs. This is a rare win-win-win: providers no longer have to deal with frustrating technology that is largely from the ’80s, life sciences get access to net new data to improve their drug development, and better outcomes are driven for the patients. This alignment of incentives and creation of a trove of rich, valuable new dataset catalyzed their purchase by Roche for $1.9B.

While the primary data collection strategy is vital to enriching the dataset accessible to the ecosystem, we are at a point where we already have massive troves of data which remain trapped in silos across complex organizations. For example, it is a tedious, largely manual task to extract and integrate our own healthcare data from various hospitals and clinics, oftentimes in multiple states, let alone multiple countries. No scaled player exists today to do this efficiently and digitally for hundreds of thousands of patients, as needed for risk underwriting by payors or real-world initiatives by life sciences companies. The coveted concept of the ‘longitudinal health record’ on either a population (de-identified) or an individual (permissioned) level is still largely ‘on the come.’ The ‘holy grail’ vision is to create an internet of healthcare data that various stakeholders in the healthcare ecosystem can conveniently access for their respective use cases.

This will likely be done piecemeal across various areas, as is the case with the consumer data economy (e.g., there are different companies that get us online, organize our data, and use it to sell relevant services and products to us).

There is an alternative where we achieve a ‘golden mean’ — few new companies seek to simply become systems of record — to store data; rather, they extend the capabilities of existing stores of data — on prem or cloud — and seek to leverage and utilize these data resources in ways that were previously impossible when they couldn’t talk to each other in a fluid, seamless, common language. One of the many ways to achieve and incentivize this shared data ecosystem could be the “give-to-get” model that David Sacks outlines here. Once data sharing becomes the new normal, it will be more interesting to build businesses that can capitalize on this and build high value applications to realize an equitable, accessible, and connected healthcare ecosystem. Just as when cars became a household necessity, building the roads, developing suburbs and selling oil became more interesting.

Footnotes:

[1] Epic did finally ink a commercial deal with Google, but not without Epic putting its customers in the middle of integration disputes and Google almost dismantling its Health unit and laying off hundreds of employees in its Verily Life Sciences unit.

[2] Veradigm also has access to primary data they generate via their family of EHR systems (e.g. PracticeFusion).

[3] Many of these businesses also offer other products and services not captured in this map. For example, Change Healthcare, which sold to Optum in 2022 for $7.8B, primarily offers RCM/payments and imaging solutions.

Shubrha Jain MD, MBA is Head of Healthcare Investments and Jay Santoro is an Associate at Tarsadia Investments, a $2bn fund. This article first appeared on their Medium channel

By KIM BELLARD

Did you know we are living in the Zettabyte Era? Honestly, did you even know what a zettabyte is? Kilobytes, gigabytes, maybe even terabytes, sure, but zettabytes? Well, if you ran data centers you’d know, and you’d care because demand for data storage is skyrocketing (all those TikTok videos and Netflix shows add up). Believe it or not, pretty much all of that data is still stored on magnetic tapes, which have served us well for the past sixty some years but at some point, there won’t be enough tapes or enough places to store them to keep up with the data storage needs.

That’s why people are so keen on DNA storage – including me.

A zettabyte, for the record, is one sextillion bytes. A kilobyte is 1000 bytes; a zettabyte is 1000⁷. Between gigabytes and zettabytes, by powers of 1000, come terabytes, petabytes, and exabytes; after zettabyte comes yottabytes. Back in 2016, Cisco announced we were in the Zettabyte Era, with global internet traffic reaching 1.2 zettabytes. We’ll be in the Yottabyte Era before the decade is out.

People have been working on DNA storage for many years; I first wrote about it in 2016, when I speculated it might mean we could literally be our own medical record. We’re not at the stage of practical DNA storage yet, and we probably won’t be for many more years, but it’s hard to believe we’re not going to be there eventually. Unlike every other form of recording we’ve come up with, DNA can persist almost indefinitely, and, as long as there are intelligent species based on DNA, they’ll want to read it.

Most importantly, DNA can store a lot of data. As MIT professor Mark Bathe, Ph.D. told NPR: “All the data in the world could fit in the coffee cup that you’re drinking in the morning if it were stored in DNA.”

Mind. Blown.

What prompted me to write about this now was an announcement from Microsoft. Working with researchers from the Molecular Information Laboratory at the University of Washington, their paper demonstrated a “proof of concept” molecular controller that allowed them to write to DNA “three orders of magnitude” – that’s 1000x – denser. As the announcement said: “Ultimately, we were able to use the system to encode a message onto four strands of synthetic DNA, proof that nanoscale DNA writing is possible at dimensions necessary for practical DNA data storage.”

I’ll spare readers the detail of what they did – I don’t pretend to understand it – but the paper concludes:

we project that the technology will scale further to billions of features per square centimeter, enabling synthesis throughput to reach megabytes-per-second levels in a single write module, competitive with the write throughput of other storage devices…We foresee these assemblers being used in other areas like material science, synthetic biology, diagnostics, and closed-loop massive molecular biology experimental assays.

Similarly, the announcement concludes: “we foresee the technology reaching arrays containing billions of electrodes capable of storing megabytes per second of data in DNA. This will bring DNA data storage performance and cost significantly closer to tape.”

You can bet Microsoft is taking this seriously.

———

Lest anyone think only Microsoft is working on this, there have been several other promising developments in recent weeks. Interesting Engineering highlighted a few of them:

• Georgia Tech Research Institute researchers have developed a microchip that allows faster writing to DNA, and expect it to 100x faster than current technologies. Lead researcher Nicolas Guise told BBC that, since DNA can survive so long, “the cost of ownership drops to almost zero.”
• Northwestern University scientists have demonstrated a new “enzymatic system” that encodes three bits of data per hour. The NU announcement explains: “Our method is much cheaper to write information because the enzyme that synthesizes the DNA can be directly manipulated.” The researchers believe the technique could be used to install “molecular recorders” inside cells to act as biosensors; the possibilities are astounding.
• A team at China’s Southeast University used a new process to split content in sequences, rather than one long chain, while “downsizing” the instruments used. TechRadar speculates could lead to the first mass market DNA storage device. Professor Liu Hong told Global Times: “Now we are aiming at the combination of electronic information technology and biology, which might be used in various aspects including data storage and nucleic test for virus.”

Interesting Engineering may have missed the most interesting use yet: Business Insider India reports that Roddenberry Entertainment has created a NFT (non-fungible token) of Gene Roddenberry’s signature on the first Star Trek contract and is storing it on DNA implanted in a bacteria – “ the first-ever living ecological non-fungible token (NFT).”  The bacteria is currently dormant, but if revived it will duplicate the NFT as it reproduces (which sort of goes against what I thought NFTs were).

Somehow I don’t think that’s what the Microsoft researchers were intending DNA storage to accomplish, but, hey, anything for Star Trek.

As Professor Bathe told NPR, if cost/efficacy issues are solved – and they are well on their way – “Then, you know, the sky’s the limit in terms of just storing everything that we ever wanted to and ever will need to.”

———

It’s possible that DNA storage will never get fast enough or cheap enough to replace existing storage methods. It’s possible that some other new technique will emerge that will be even better than DNA storage (e.g., holographic storage?).  But we are DNA-based creatures and the possibility of using the technique that nature builds us with to store and manipulate the data we generate is irresistible. 

There already are DNA-based “robots” and DNA-based computers so, honestly, DNA storage doesn’t surprise me at all. We should be expecting molecular DNA recorders…and trying to anticipate what we do and don’t want them used for.

In the 21^st century, biology is computing, and vice-versa. DNA isn’t just our genetic history and future, but information that we can read and write in. We call it “synthetic biology” now but as the field grows and grows we’re going to forget the “synthetic” part, like “digital health” just becomes “health” (or “cryptocurrency” just becomes “currency”).

Life in the Yottabyte Era is going to be very interesting.

Kim is a former emarketing exec at a major Blues plan, editor of the late & lamented Tincture.io, and now regular THCB contributor.

By FARZAD MOSTASHARI

In Partnership with the Duke-Margolis Center for Health Policy, Resolve to Save Lives, Carnegie Mellon University, and University of Maryland, Catalyst @ Health 2.0 is excited to announce the launch of The COVID-19 Symptom Data Challenge. The COVID-19 Symptom Data Challenge is looking for novel analytic approaches that use COVID-19 Symptom Survey data to enable earlier detection and improved situational awareness of the outbreak by public health and the public. 

How the Challenge Works:

In Phase I, innovators submit a white paper (“digital poster”) summarizing the approach, methods, analysis, findings, relevant figures and graphs of their analytic approach using Symptom Survey public data (see challenge submission criteria for more). Judges will evaluate the entries based on Validity, Scientific Rigor, Impact, and User Experience and award five semi-finalists $5,000 each. Semi-finalists will present their analytic approaches to a judging panel and three semi-finalists will be selected to advance to Phase II. The semi-finalists will develop a prototype (simulation or visualization) using their analytic approach and present their prototype at a virtual unveiling event. Judges will select a grand prize winner and the runner up (2nd place). The grand prize winner will be awarded $50,000 and the runner up will be awarded $25,000.The winning analytic design will be featured on the Facebook Data For Good website and the winning team will have the opportunity to participate in a discussion forum with representatives from public health agencies. 

Phase I applications for the challenge are due Tuesday, September 29th, 2020 11:59:59 PM ET.

Learn more about the COVID-19 Symptom Data Challenge HERE.

Challenge participants will leverage aggregated data from the COVID-19 symptom surveys conducted by Carnegie Mellon University and the University of Maryland, in partnership with Facebook Data for Good. Approaches can integrate publicly available anonymized datasets to validate and extend predictive utility of symptom data and should assess the impact of the integration of symptom data on identifying inflection points in state, local, or regional COVID outbreaks as well guiding individual and policy decision-making. 

These are the largest and most detailed surveys ever conducted during a public health emergency, with over 25M responses recorded to date, across 200+ countries and territories and 55+ languages. Challenge partners look forward to seeing participant’s proposed approaches leveraging this data, as well as welcome feedback on the data’s usefulness in modeling efforts. 

Indu Subaiya, co-founder of Catalyst @ Health 2.0 (“Catalyst”) met with Farzad Mostashari, Challenge Chair, to discuss the launch of the COVID-19 Symptom Data Challenge. Indu and Farzad walked through the movement around open data as it relates to the COVID-19 pandemic, as well as the challenge goals, partners, evaluation criteria, and prizes.

Transcript: Farzad Mostashari on the Covid19 Symptom Data Challenge

Indu Subaiya: I’m delighted to be talking today with Farzad Mostashari about the COVID-19 symptom data challenge, in partnership with Facebook Data For Good, the Delphi Group at Carnegie Mellon University, and the joint program on survey methodology at the University of Maryland. So thank you for being here as we launch this challenge. Help us set the stage, because on March 7th of this year, you noticed something unusual going on in New York City. Tell us about that.

Farzad Mostashari: I was part of the first group of researchers 20 years ago to say “There’s all this data that is part of the universe floating around that we’re not using for public health purposes. What if we did?” The urgency at that time was around pandemics and bio terrorism both.

And we developed this whole field of what became known as “syndromic surveillance”, public health surveillance, real time epidemiology, where we were like, “What if you tap into what’s going on and apply these new statistical methods?” So at that time, the stone that we polished was emergency room visits and saying, “Can we receive all these data about emergency room visits happening in New York City?” And now it’s national. And be able to track, not diagnosed cases of anything, but syndromes. Is there a respiratory syndrome? Is there difficulty breathing? Is there influenza-like illness going on in the community?” And we set up these systems. And one of the other things we did in New York City, which a lot of other jurisdictions didn’t do, was we created a public facing transparency tool view of that.

So 10 years later, I was sitting in my basement like so many other people worrying about what’s going on with COVID. And now at that time in New York City, there were two diagnosed cases of COVID. But there was a lot of concern. And I went on that website, and it’s a public website, but people just didn’t know about it. And I clicked through, and I saw that cases of people going to the emergency room with respiratory distress, with difficulty breathing, with cough and fever had doubled and tripled just in the past few days. And what that told me was there are not two cases of COVID in New York City. There are tens of thousands of cases and they’re doubling every three days.

It took two weeks between that realization and when the schools were shut down, when the city was shut down. The promise and the premise here is that if we trust those signals, if those are trusted signals, we don’t have to have hundreds of thousands of people infected and tens of thousands of people die. We can intervene sooner. The public and policy makers can both make decisions based on data that is more timely.

Indu Subaiya: It seems almost there are three requisite factors that play into this vision that you’ve really set up beautifully. And one is that you need open data. You need access to data that you’ve always evangelized for and built in New York City and other places. You need to have mechanisms for early detection and early warning. But there’s something else you’ve always advocated for, which is the engagement of citizen scientists. So speak to how those underpinnings of the vision came together to design this challenge specifically.

Farzad Mostashari: So I got to hear about this incredible effort that’s underway that no one knows about (to a first order of approximation) which is that there are millions of surveys a week being done all over the globe, 70 plus countries, and in every state and territory in the US where millions of people every day, they go on Facebook, they see that there’s an opportunity to take a survey about COVID from an outside university, Carnegie Mellon, or University of Maryland for the global data. They click on that and they leave Facebook and they go to this other webpage and they fill out a survey that asks questions around, “Have you had symptoms in the past 24 hours? Has anyone in your household? Do you know people [who have]? Do you wear masks? Have you been careful when you go outside?” And they’re answering these questions and they’re actually being statistically weighed so that it’s not a convenient sample, it’s not whoever happens to have a thermometer at home or whatever. It’s like real time, reliable information. But it’s not being used!

Tom Frieden, my former boss and now leading Resolve To Save Lives (a wonderful global public health organization) and I were brought in to give our thoughts about this effort. And we were both like, “This is amazing. You should push it out.” And they pushed out the data in an open API. Anyone can go to the Delphi CMU. And three months later, it’s still not part of the Pantheon of data that we’re using to assess what’s happening with the COVID. Despite all the shortcomings in all the other data systems, people aren’t using it.

And I think to your point, the data is there, but the engagement on polishing the stone hasn’t occurred. The validation of it hasn’t occurred because we don’t have enough eyes on it. And it is not integrated into people’s understanding of what they should do. “Should I send my kid to school? Should I go to the store? Do I wear a mask this week?” These are real decisions that real people have to make every day, and we’re not giving them the benefit of what might be something that could be a real game changer.

Indu Subaiya: Well, we’ve seen firsthand in some of the early analyses with this data. Speak a little bit to just some of the insights that you’ve seen where symptom data can tell us something differently and earlier than case rates, death rates, the kinds of data inputs that we’re currently used to seeing, for the ways that this can do better.

Farzad Mostashari: Yeah. So theoretically, let’s think about the advantages. Over the three major sources of data, if I said to you, a citizen scientist, “How do we know what’s going on with COVID in our community? How do we know if an outbreak is occurring? How do we know if the outbreak is peaking? How do we know if it’s coming down?” There’s three sources of data that we are trying to look at. And all three are flawed. The first is obviously how many diagnosed cases we have. Case numbers, case positivity, lab tests. Well, the problem with that is we had a huge dearth of lab capacity early on. There are still parts of the country and parts of the world where there is not great lab capacity. And that lab capacity is changing. And even when we do the tests, they’re delayed now by seven to 10 days.

And the positivity can’t necessarily be relied on either, because it depends on what population you’re testing. If you turn on testing of a bunch of young people, you might have a different rate. If you start testing asymptomatic people, you might have a different rate. If the people follow the CDC’s recommendation and they stopped testing asymptomatics, you can have an increase … So it’s very much dependent on testing behavior. You’re seeing it through this lens of testing behavior and that lens can distort.

The second source of data could be deaths. Deaths are highly reliable. They’re still underdiagnosed. One of our scientific committee members, Dan Weinberger, and a group of other researchers and I published an article looking at excess deaths compared to COVID deaths. And there’s actual discrepancies between those two, but death is a pretty hard data point. The problem is it’s weeks delayed. If we waited until we saw deaths to say that we have a problem, the outbreak would have run wild through a city before we can even address it.

And then the third source of now traditional surveillance are the syndromic surveillance, emergency room, hospitalization, syndromic data that we pioneered 20 years ago. And the problem with those is that the lens you’re seeing those through is health seeking behavior. And if people change their likelihood of going to the emergency room, going to doctor’s offices, it obscures that lens.

So with all three of these, the symptom survey data presents unique advantages. Compared to deaths, it’s much more timely. In fact, compared to any of the other data sources, you would expect it to be the first indicator. It’s completely unrelated to health seeking behavior or testing availability. And if you think about, and particularly in the global context, there are many countries where the lab capacity is really challenged, and even death surveillance, mortality surveillance is really challenged. This could be a major tool.

That all having been said, what we have now are very preliminary evidence that this could be useful. And what we’re looking for are many, many more people to put eyes on the data and find ways to polish those stones, to have the highest-value ways, for society, of using this information.

Indu Subaiya: So available to all the citizen scientists in the world as of today will be access to these datasets through APIs, through aggregate CSVs. And Farzad, what will be the primary challenge questions that they’ll be able to engage with and tackle?

Farzad Mostashari: The main question that we’re asking is can you find a way to validate whether adding in the symptom data into all the other existing data sources we have can improve the sensitivity, the specificity, the timeliness of our ability to detect what’s going on with the outbreak. What are the inflection points? When is it taking off? When is it flattening? When is it coming down? And to be able to provide useful information for policy makers and the public in guiding their decisions.

So we’re leaving it pretty wide open, right? Come with your methods, come with your visualization. Do you want to look at it on an age stratified basis? Do you want to combine it with lab data? Do you want to incorporate the mask wearing information? Do you want to think about the granularity of it in space? Do you want to look county level, HR level, state level? Do you want to look at it in terms of time? Do you want to look at it by week or by day? All of those, do you want to apply statistical methods, clustering methods? You figure it out.  But answer the question: “what is the best case to be made for how one would incorporate this data into the Pantheon of public health surveillance tools?”

Indu Subaiya: And even though we have the academics, if you will, working on this, we’re really looking for all comers.

Farzad Mostashari: All comers.

Indu Subaiya: Even if you’re not a trained epidemiologist, but you have an interest in this data, we are making it available as of today. And contestants will have four weeks to come up with their analyses. And then we’ll have some semifinalists that will present to the scientific committee. And at that point, up to five teams will be chosen to advance to a second round where they’ll build visualizations and simulations, prototypes of this analysis in action. So as the contestants submit their analyses after the first four weeks, the scientific committee will be looking at certain criteria. What can people expect their submissions to be judged on?

Farzad Mostashari: Well, I think it’s kind of like having a special issue of a journal. We won’t be as tough on the formatting and references as we would a real journal article, but we’re basically doing the evaluation of the validity of the results.

How convincing is the evidence that’s being presented in terms of the additional utility of adding the symptom data and how? What are the methods that are being used? The second is the rigor with which these analyses are done. Have they considered biases confounding, some of the other potential causes for false associations? What are the limitations of that? The third is impact.

If there’s a method that’s so complicated that it takes 20 days to run on every day’s worth of data, well, that’s not going to have as much impact. But what is the real likelihood of impact?

And related to that, but distinct, is the user experience. How easy is it to explain? How easy is it to visualize? How easy is it to make actionable those results from the analysis? These four criteria are going to be used in the first phase. And then when we do the presentations and then with the final result, when we select the grand winner of … What is it, $50,000? That’s huge!

Indu Subaiya: That’s right. And the second place gets $25,000.

Farzad Mostashari: $25,000! Those are the same criteria are going to be used for each of those levels.

Indu Subaiya: Fantastic. I also want to remind folks that outside data can be brought in as long as it’s made publicly available so that we can continue to feed this repository of access to data, and hopefully really combat this epidemic together.

So Farzad, one of the ways that we can help contestants understand the data sets being made available is there’s so many partners here. Where did these data sets come from, and how does privacy work given that people have taken these surveys?

Farzad Mostashari: The surveys are suggested to folks who are on Facebook. But then when someone clicks on that banner ad that says ‘do you want to take a COVID survey,’ they leave the Facebook environment entirely, and they go off to the University of Maryland or Carnegie Mellon’s website.

I think it’s important for people to understand where the data comes from is from those anonymous surveys that are done by the universities. There is no access to the line-level data for the folks at Facebook. They don’t want it, they don’t have it.

But that micro data is actually available to university researchers. But there are extracts made from that, which are anonymized, minimum cell size at the various levels of granularity that are currently being made public through APIs and we will make a CSV download available as well.

Those are fully anonymized, fully aggregated. No one’s identity is obviously going to be impacted, just says “in this county this week, there were these many cases of people who complained of having recent cough symptoms” and so forth.

This is part of the Facebook Data for Good project, and I certainly believe that this is data for good.

Indu Subaiya: And Farzad, what is your hope as these teams come forward with these ideas? Where can these findings be deployed? And what is your vision for where it goes from here outside of the challenge?

Farzad Mostashari: Our hope is that these become just a part of the, alongside deaths and cases and hospitalizations, it’s just part of what people look at. So when you go to COVID tracking or COVID Exit Strategy or the Hopkins site or the CDC, or when states or cities or governors are looking at their data, this is one of the factors that they also consider. But also the public. As Tom Frieden likes to say, “When you check the weather to see if you should take an umbrella, you should be checking a website that tells you what’s going on with COVID activity in your community”-  that can help guide many of the decisions that we have to make, unfortunately on a daily basis, until we have herd immunity or a vaccine, or both.”

Indu Subaiya: Absolutely. So some real, very impactful outcomes expected from this challenge. It’s not just an academic exercise. Folks evaluating the finalists will be looking for how to adopt these algorithms and these visualizations into their public health dashboards, into their decision making processes. So it’s a really incredibly exciting opportunity.

One of the things this challenge will be doing is inviting people to join a Slack channel so that they can communicate with each other. We don’t see this as a one-time submission and then off you go, but really as a means to engage the community. That’s always been at the forefront of what you’ve evangelized with the health technology community.

Farzad Mostashari: None of us are as smart as all of us.

Indu Subaiya: We’ll go live today. And I just wanted to have a chance for you, Farzad, to share the vision behind it and what good looks like. So we’re really excited to be helping support the challenge mechanism itself here at Catalyst. So thank you so much.

Farzad Mostashari: And thank you and the team for helping sponsor this. And I hope the contestants will have a wonderful experience.

Farzad Mostashari is CEO of Aledade, former National Coordinator for Health Information technology, and former Deputy Commissioner at the New York City Department of Health and Mental Hygiene

Fine print: Participation subject to Official Rules NO PURCHASE NECESSARY TO ENTER/WIN. A PURCHASE WILL NOT INCREASE YOUR CHANCES OF WINNING. Entry deadline September 29th, 2020 at 11:59:59 pm EDT. Open to legal residents US and worldwide who are at least the age of majority in their jurisdiction of residence, excluding Crimea, Cuba, Iran, Syria, North Korea, Sudan, or other countries or regions subject to U.S. export controls or sanctions. Void where prohibited by law. Participation subject to Official Rules. See Official Rules for entry requirements, judging criteria and full details. Administrator: Health 2.0 LLC. Sponsor: Facebook, Inc. Partners: Duke Margolis Center for Health Policy, Carnegie Mellon University, University of Maryland, and Resolve to Save Lives.

This article originally appeared in the American Bar Association’s Health eSource here.

By KIRK NAHRA

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Congress is debating whether to enact a national privacy law.  Such a law would upend the approach that has been taken so far in connection with privacy law in the United States, which has either been sector specific (healthcare, financial services, education) or has addressed specific practices (telemarketing, email marketing, data gathering from children).  The United States does not, today, have a national privacy law.  Pressure from the European Union’s General Data Protection Regulation (GDPR)¹ and from California, through the California Consumer Privacy Act (CCPA),² are driving some of this national debate.  

The conventional wisdom is that, while the United States is moving towards this legislation, there is still a long way to go.  Part of this debate is a significant disagreement about many of the core provisions of what would go into this law, including (but clearly not limited to) how to treat healthcare — either as a category of data or as an industry.

So far, healthcare data may not be getting enough attention in the debate, driven (in part) by the sense of many that healthcare privacy already has been addressed.  Due to the odd legislative history of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),³ however, we are seeing the implications of a law that (1) was driven by considerations not involving privacy and security, and (2) reflected a concept of an industry that no longer reflects how the healthcare system works today.  Accordingly, there is  a growing volume of  “non-HIPAA health data,” across enormous segments of the economy, and the challenge of figuring out how to address concerns about this data in a system where there is no specific regulation of this data today.

The substantial history behind the HIPAA experience to date also provides meaningful insight into how a future privacy law could work.  There are critical elements of HIPAA that have worked well  — for both consumers and industry — and from which we may take lessons for the future.  At the same time, the gaps in HIPAA’s protections — mainly the result of a legislative accident and significant technological and industry change — have grown to largely untenable levels. These gaps have led to a broad range of entities that create, use, and disclose healthcare information outside of the reach of the HIPAA Rules.  This growing range of non-HIPAA health data needs to be addressed in some way.

This leads to the national debate.  There are a variety of approaches that are being applied today to healthcare.  This article will explore some of the models to date, and reviews other efforts to provide standards for the treatment of healthcare data.  In addition, this article will look at a new challenge — the usefulness of data that does not seem to be about our health in the healthcare industry. The primary goal of this article is to identify these issues and begin (or, to be fair, continue) a dialogue (although one that has largely stalled and then been taken over by the broader national privacy law debate) on how these principles should be applied to protect consumers while at the same time permit the critical healthcare industry to move forward effectively and efficiently.  

Setting the Stage

The HIPAA Privacy Rule⁴ has set the standard for the privacy of healthcare information in the United States since the Rule went into effect in 2003.  Despite criticism from various directions, it has fundamentally reshaped the privacy and security environment for the healthcare industry by creating a set of national baseline standards across the healthcare industry.

Yet, from the beginning the HIPAA Privacy Rule has had important gaps.  The Privacy Rule was the result of a series of Congressional judgments about “scope,” driven by issues having nothing to do with privacy, such as the portability of health insurance coverage and the transmission of standardized electronic transactions.  As a result of the HIPAA statute, the U.S. Department of Health and Human Services (HHS) only had the authority to write a privacy rule focused on HIPAA “covered entities”  (healthcare providers, health plans and healthcare clearinghouses) —meaning that certain segments of relevant industries that regularly use or create healthcare information, such as life insurers or workers compensation carriers, were not within the reach of the HIPAA Rules.  Therefore, the HIPAA Privacy Rule and the other HIPAA Rules  have always been “limited scope” Rules, rather than a general health information privacy regulation.  Bound by the statutory framework, the Privacy Rule focuses on “who” had one’s healthcare information rather than the information itself.⁵

In the beginning, while critical gaps certainly existed, these gaps were somewhat limited, and large components of the healthcare industry — including most healthcare providers and health insurers — were covered by the HIPAA Rules.  What has changed in recent years is the enormous range of entities that create, use, and disclose healthcare information outside of the reach of the HIPAA Rules. The system now has reached (and passed) a tipping point on this issue, such that there is enormous concern about how this “non-HIPAA” healthcare data is being addressed, and how the privacy interests of individuals are being protected (if at all) for this non-HIPAA healthcare data.

So, what exactly is the problem?  Because of the limited scope of the HIPAA statute, a broad range of entities that collect, analyze, and disclose personal health information are not regulated by the HIPAA Rules. For example, numerous web sites gather and distribute healthcare information without the involvement of a covered entity (meaning that these web sites are not covered by the HIPAA  Rules).  These range from commercial health information web sites, to patient support groups, to personal health records.  There has been  a significant expansion of mobile applications directed to healthcare data or offered in connection with health information or overall wellness.  The entire concept of wearables post-dates the HIPAA Rules and generally such wearables fall outside the scope of the HIPAA Rules. The growing expansion of “direct to consumer” healthcare activities primarily avoid regulation by the HIPAA Rules. A wide range of the largest tech companies in the world also are becoming involved — to varying degrees and through varying means — in the collection and analysis of health-related data.  Unless a HIPAA covered entity is involved, these activities generally are outside of the scope of the HIPAA Rules, and are subject to few explicit privacy requirements (other than general principles such as the idea that you must follow what you say in a privacy notice and have reasonable and appropriate security practices).⁶

In addition, as “patient engagement” becomes an important theme of healthcare reform, there is increased concern about how patients view such uses of data, and whether there are meaningful ways for patients to understand how their data is being used.⁷  The complexity of the regulatory structure (where protections depend on sources of data rather than “kind” of data), and the difficulty of determining data sources (which are often difficult, if not impossible, to determine), has led to an increased call for broader but simplified regulation of healthcare data overall.  There are meaningful situations across the healthcare spectrum that involve data that is protected by HIPAA at one point and then, through permitted disclosures, no longer receives the protections of the HIPAA Rules.  These growing gaps call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.

At the same time, there also has been an increased usage by HIPAA covered entities of personal data that would not traditionally be viewed as “healthcare information.”  As just one example, the New York Times reported on “health plan prediction models” that use consumer data obtained from data brokers, such as income, marital status, and number of cars owned, to predict emergency room use and urgent care needs.⁸  A 2013 study by the SAS Institute⁹ found that television usage patterns, mail order buying habits and investments in stocks and bonds were all variables with predictive power to understand patient risks for particular health outcomes. This kind of information usage by HIPAA covered entities — relying on data that is not traditionally viewed as healthcare information and which is widely available outside of healthcare contexts and for a wide variety of non-healthcare usages — threatens to blow up the concept of what “health information” means.

This convergence of data creation and usage is leading to an increasing debate about what should be done, if anything, about this non-HIPAA healthcare data and the application of the HIPAA Privacy Rule to data that does not directly involve the provision of healthcare.  It is clear that this debate will be ongoing and extensive.  It is not clear at all what the results of the debate will be.

Today’s Discussion

Moving to the current debate about a national privacy law.  Driven by the GDPR, the CCPA, and a broad variety of privacy and data security “scandals” involving tech companies, large scale security breaches and the like, there has been a more extensive debate about a national privacy law than at any point in American history.  How can the approach taken for healthcare data help guide this discussion? 

What can be Learned from the HIPAA Model?

For better or worse, the core elements of the HIPAA Rules can be summarized as follows.  The HIPAA Rules incorporate a specific set of covered entities — those companies (or perhaps individuals) directly subject to the law.  By defining a set of regulated entities, HIPAA is typical of the U.S. approach to privacy law, which is one that has favored sector-specific regulation.  It then incorporates a means of addressing service providers (first by contract, then by law after legislative change).¹⁰

One of the key choices in the development of the HIPAA Privacy Rule — one that can be an enormously useful model in the development of a national privacy law — involves the approach to consumer consent and the related ability of these covered entities to use and disclose regulated information.  The idea of “consent” under the HIPAA Privacy Rule is straightforward – consent is presumed for certain key areas for uses and disclosures of personal information, tied to “normal” operations of the healthcare industry.  For this set of purposes — Treatment, Payment and Health Care Operations — consent is presumed under the law.¹¹  (Note that, unlike some other laws such as the Gramm-Leach-Bliley Act,¹² which focuses its privacy obligations on disclosures of personal information, the HIPAA Privacy Rule applies to both uses and disclosures of information).  This defined set of “permitted” purposes is tied both to normal activities that we want to encourage in the healthcare system (for the benefit of all healthcare stakeholders) and to effective operations of the healthcare system, consistent with consumer expectations.  Note that this idea of “appropriate” purposes for permitted disclosures seems consistent with the idea of “context,” which has emerged in the Obama Administration Consumer Privacy Bill of Rights¹³ and other emerging views on a future privacy law.

The HIPAA Privacy Rule  also permits disclosures for certain public policy purposes under section 512 of the HIPAA Privacy Rule, such as public health and regulatory investigations, where consumer consent is viewed as not directly relevant.  All other uses and disclosures are permitted only with explicit patient permission.¹⁴ 

The HIPAA Privacy Rule  incorporates a series of individual rights with a continuing focus on the importance of access to the consumer’s information. There are a series of administrative requirements.  The HIPAA Rules also include a separate set of security principles and a breach notification rule.  There is primary civil enforcement through the HHS Office for Civil Rights, potential criminal enforcement through the Department of Justice, and parallel civil enforcement through state attorneys general.  There is no private right of action.

Other Healthcare Privacy Regimes

How else can the privacy of healthcare information be addressed?  Remember, HIPAA is not really a health information privacy rule — it is a rule that protects certain information in certain contexts when held by certain kinds of entities. Other regimes have chosen different approaches to healthcare privacy.

GDPR

GDPR takes a very different approach from HIPAA.  Under GDPR, health information is treated as sensitive data, but there are no specific requirements for the healthcare industry per se.  GDPR is therefore both broader and narrower than HIPAA in its approach.  It applies to more kinds of entities that have or use health information, but applies to less information than if that information were held in the United States by a covered entity (for example, a name or social security number held by a U.S. hospital is protected by HIPAA, while such information would not be health information under GDPR).  There is very little additional consideration in GDPR of the healthcare industry on its own.   

The California Medical Information Act

Some states have their own laws that mirror HIPAA to some extent. Technically, HIPAA sets a federal floor for privacy protection. It preempts weaker state laws but permits more stringent laws that provide greater privacy protections. California, for example, has the Confidentiality of Medical Information Act (CMIA).¹⁵  This is a freestanding law different from CCPA (described below) that is parallel to HIPAA. It clearly includes many HIPAA covered entities and business associates, but also includes additional entities that are not subject to HIPAA. It is extremely challenging — to say the least — to evaluate the differences between the HIPAA Rules and the CMIA for HIPAA covered entities (and very difficult to apply the law to other kinds of entities that appear to be subject to it), as the CMIA incorporates some portions of the HIPAA Rules, adds other items, subtracts some, and writes others in different ways using similar but not identical words for similar practices.  The approach of this law is to define the healthcare industry in its own way, and then to impose a similar set of use and disclosure limitations on that industry.  The defined industry not only includes the healthcare providers and health plans subject to HIPAA, but also includes:

Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information, in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the  individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part.  California Code, Civil Code – CIV § 56.06(b).

There is a somewhat analogous law in Texas¹⁶ (analogous both as to the CMIA’s broader scope and its overall ambiguity about who it applies to and confusion about how it is similar to or different from the HIPAA Rules.). 

CCPA

Then, since California is not confusing enough for healthcare, we now superimpose CCPA on the existing structure.  CCPA is a general, all-purpose privacy law generally applicable to all personal information of California residents. As a general matter, CCPA exempts entities covered by HIPAA.  It exempts covered entities for any HIPAA covered data, and business associates for their HIPAA activities (so an accounting firm that provides services to hospitals is exempted for that work, but not for its work involving banks or retailers). Intriguingly, it also exempts entities covered by the CMIA.  CCPA does seem to cover certain medical information that is held by entities that are not subject to HIPAA or the CMIA. Presumably, the collective approach in California covers all healthcare information in some way (with the potential exception of certain employer-collected health information not subject to HIPAA). CCPA, however, is emphasizing the challenges for an industry that now regularly crosses the lines for these different laws because of the business and compliance challenges of applying different standards to the same or similar business practices, depending on details about particular business relationships or data flows. 

Federal Concepts So Far

At the federal level, one is starting to see a variety of approaches to the overall question of national privacy legislation.  While healthcare has not recently been a focus of this debate, each approach has its own perspective on healthcare and health information, along with its own strengths and weaknesses.

The Klobuchar/Murkowski Proposal¹⁷ is the only current legislative proposal that focuses on the issue of non-HIPAA health data. It creates a focused solution to the scope problems left by HIPAA’s legislative history.  While recognizing the problem, it takes a “first step” approach to a solution: it requires a task force and then regulations “to help strengthen privacy and security protections for consumers’ personal health data … collected … by consumer devices.”¹⁸  It provides a specific set of topics for regulators to consider under the legislation. This proposal  targets this current gap, but would not create a uniform set of rules across the industry, as there would still be different rules for data covered by the HIPAA Rules compared to non-HIPAA data.

Other approaches are more general, and take varying approaches to how a new law would intersect with HIPAA. The Wyden bill¹⁹ is mainly focused on expanding and increasing Federal Trade Commission (FTC) authority. This bill would presumably allow the FTC to treat non-HIPAA companies the same as other companies under their existing standards, and does not challenge the FTC’s authority in connection with HIPAA covered entities.   

The Intel proposal — a carefully thought-through private sector initiative — primarily focuses on modified and expanded FTC authority as part of its broad overall approach to privacy regulation.²⁰  It includes some specific requirements related to health information. It provides certain preemption, but not for laws that go beyond HIPAA.  It excludes HIPAA covered entities generally.

Another approach from Senator Schatz²¹ defines “sensitive data” to include healthcare data.  Again, its focus seems to be on the FTC.  However, unlike other proposals, the obligations seem to be superimposed on HIPAA.

Senator Rubio’s proposal²² includes medical history and biometrics as categories of data subject to the law but not health data overall.  It generally exempts entities subject to HIPAA and preempts state law.

The broader Senator Markey privacy proposal²³  includes health information among the protected data elements.  While the language is somewhat unclear, it seems to apply in addition to HIPAA.

In the House, Congresswoman DelBene has introduced “The Information Transparency & Personal Data Control Act.”²⁴ This proposal creates a wide range of obligations related to “sensitive personal information,” including health information, but does not otherwise address the healthcare industry per se.  These provisions appear to be imposed on top of HIPAA, and there is an explicit carve-out from the preemption provision for state laws that are more stringent than HIPAA.

Where Are We Now?

There will be  significant debate over the next few years on the future of a federal privacy law.  While it might be possible for a healthcare “fix” to move separately, that seems unlikely at this point.

In thinking about the gaps in the current HIPAA structure, there are several options.  Moving from “most limited” to “broadest” in application, we could see specific proposals approaching this issue in the following ways:

• A specific set of principles applicable only to non-HIPAA healthcare data (with an obvious ambiguity about what “healthcare data” would mean);
• A set of principles (through an amendment to the scope of HIPAA or some new law) that would apply to all healthcare data; or
• A broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA Rules), with recognition that it is increasingly difficult to identify “healthcare information.” 

In parallel consideration, a national privacy law could:

• Exempt the healthcare industry to the extent regulated by HIPAA;
• Include new provisions that apply to HIPAA covered entities in addition to the existing HIPAA provisions; or 
• Replace HIPAA with a new structure covering all healthcare information. 

At a minimum, it is anticipated that any new national privacy law would cover non-HIPAA healthcare data (and entities) but, unless a broader approach to health information is taken, would continue the status quo of different standards depending on who is holding the health information. 

Conclusion

Despite the importance of the healthcare industry, the HIPAA Rules, and health information to the overall debate about individual privacy, healthcare has not been a leading factor in the current national privacy legislative debate. This is unfortunate and can lead to problems for both the healthcare industry and a variety of other stakeholders interested in healthcare data and the privacy of this data.  The HIPAA rules — because of their detail and our broad experience with them since their implementation  — can provide some useful experience in evaluating the national debate, particularly in the HIPAA Privacy Rule’s approach to consent and the use and disclosure of covered information. 

In general, the healthcare industry and most relevant stakeholders are comfortable with the HIPAA Rules’ approach and the overall impact of the rules on the operation of the healthcare industry and the protection of patient data. Despite this comfort, the healthcare industry and these other stakeholders (including government, employers, researchers, patients and general consumers) need to consider what the next phase of privacy protection for health information should be.  The current status quo — where the protection of health information depends dramatically on who holds the information — likely may persist in a national privacy law setting.  That has important implications for consumers and for the healthcare industry. These differing standards create confusion and complexity that easily could be reduced through a common standard.  These same challenges emerge in the discussion over preemption: if a national privacy law preempts state law, but HIPAA covered entities are not subject to the national law, then presumably they will remain subject to state law.  The healthcare industry should be evaluating whether a common standard — even if different from the HIPAA Rules — would be better for the industry and for consumers.

Today, while the healthcare industry, the patient community, and broad variety of interested stakeholders all pay close attention to these privacy programs and the overall protection of patient data, this perspective is not obviously a part of the expanding national debate.  This is a mistake.  Both those in Congress and the healthcare industry need to be focusing on these issues involving health information, and should be thinking about the important role of privacy protection for health information in the broader context of an appropriate national privacy law.

Kirk Nahra is a Partner with WilmerHale in Washington, D.C. where he co-chairs their global Cybersecurity ad Privacy Practice. 

Footnotes

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, available at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679 (effective May 2018).
2. The California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (effective January 1, 2020).
3. Health Insurance Portability and Accountability Act of 1996, P.L.104–191.
4. The “HIPAA Rules” mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.  The HIPAA Privacy Rule is the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R., part 160 and part 164, subparts A and E.  The HIPAA Security Rule is the HIPAA Security Standards (45 C.F.R. Parts 160 and 164, Subpart C). The HIPAA Breach Notification Rule is the Notification in the Case of Breach of Unsecured Protected Health Information, as set forth at 45 C.F.R. Part 164 Subpart D.  
5. As part of the rules implementing the provisions of the HITECH Act of 2009, which amended HIPAA, the “reach” of the HIPAA Rules was extended in part to “business associates,” but this extension did not change the need to have a relevant “covered entity” involved in any collection of information. 
6. An important HHS publication tried to define the scope of regulation for this non-HIPAA health data.  This report is very useful, although the relevant guidelines and provisions evolve regularly.  See Department of Health and Human Services, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” available at https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf.
7. Substantial questions remain about whether patients appropriately can access their own health information.  See McGraw, “The Patient Record Scorecard: What is it and Why we did it,” (Aug. 14, 2019), available at https://www.ciitizen.com/the-patient-record-scorecard-what-is-it-and-why-we-did-it/.  
8. See, e.g., Singer, “When a Health Plan Knows How You Shop,” (New York Times June 28, 2014), available at http://www.nytimes.com/2014/06/29/technology/when-a-health-plan-knows-how-you-shop.html?_r=0. 
9. Garla et al., “What do your consumer habits say about your health risk? Using third-party data to predict individual health risk and costs,” Paper 170-2013, SAS Global Forum (2013), available at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.381.2705&rep=rep1&type=pdf).  
10. The original HIPAA Privacy Rule created the concept of business associates, who are service providers to covered entities.  In the HITECH Act, Congress extended the scope of coverage for portions of the HIPAA Rules to apply directly to these business associates. 
11. 45 C.F.R § 164.506(a).
12. P.L. 106–102, 113 Stat. 1338, enacted November 12, 1999.
13. The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (February 2012), available at https://obamawhitehouse.archives.gov/sites/default/files/privacy-final.pdf (Appendix A). 
14. 45 C.F.R. § 164.502(a).
15. CALIFORNIA CIVIL CODE §§ 56-56.16.
16. TEXAS HEALTH & SAFETY CODE § 181.001 et. seq (“Texas Medical Privacy Act”).
17. S. 1842, 116th Congress, “Protecting Personal Health Data Act,” available at https://www.congress.gov/bill/116th-congress/senate-bill/1842.
18. S. 1842, SEC. 4(a).
19. “Consumer Data Protection Act’’ (discussion draft), available at https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%20Bill%20Discussion%20Draft%20Nov%201.pdf. 
20. Intel, “Draft Model Privacy Law,” available at https://usprivacybill.intel.com/legislation/
21. S.3744, “Data Care Act of 2018,” available at https://www.congress.gov/bill/115th-congress/senate-bill/3744.
22. S.142, “American Data Dissemination Act,” available at https://www.congress.gov/116/bills/s142/BILLS-116s142is.pdf.
23. S.1214, “Privacy Bill of Rights Act,” available at https://www.congress.gov/116/bills/s1214/BILLS-116s1214is.pdf.
24. H.R. 2013 116th Congress, available at https://www.congress.gov/bill/116th-congress/house-bill/2013/text. 

After absorbing several years of increasingly extravagant promises about the remarkable potential of digital health, investors, physicians, and other stakeholders are now unabashedly demanding: “Show me the data.”

By now, most everyone appreciates the promise of digital health, and understands how, in principle, emerging, patient-focused technologies could help improve care and reduce costs.

The question is whether digital health can actually deliver.

A recent NIH workshop, convened to systematically review the data on digital health, acknowledged, “evidence is sparse for the efficacy of mHealth.”

As Scripps cardiologist Eric Topol and colleagues summarized in JAMA late last year,

“Most critically needed is real-world clinical trial evidence to provide a roadmap for implementation that confirms its benefits to consumers, clinicians, and payers alike.”

What everyone’s asking for now is evidence – robust data, not like the vast majority of wellness studies that experts like Al Lewis and others have definitively shredded.

The goal is to find solid evidence that a proposed innovation actually leads to measurably improved outcomes, or to a material reduction in cost.  Not that it could or should, but that it does.

Applications ranging from GPS-enabled asthma inhalers to cloud-based EMR services to iPhone-based medical diagnostics typically highlight the transformative potential of these technologies, and often emphasize the exceptional value said to reside in all the collected data.  It might even be true – but let’s see the evidence.

Given the striking disparity between digital health’s breadth and depth, between the sheer number of health-oriented apps and the data that even a handful of these products really do something substantial, it’s not unreasonable to presume digital health gadgets are, at best, amusing wellness devices — wellutainment — until proven otherwise.

However, before we get too self-righteous in our critique of the digital health evidence base, we might take a moment to recognize how fragile the data are for much of what we do in medicine. The evidence for the utility of digital health devices may be weak to non-existent, but it’s not much better for a startling number of medical tests and procedures.

A major study published by Vinay Prasad and colleagues last year, for example, found that about 40% of established medical practices failed to stand up to scrutiny when deliberately studied.   In an accompanying editorial, legendary Stanford statistician John Ioannidis observed, “the introduction of interventions with limited or no evidence of benefit continues at a fast pace,” adding,

“Once we divert beyond traditional treatments (eg drugs or devices) to diagnostic tools, prognostic markers, health systems, and other health care measures, randomized trials are a rarity.  For example, it has been estimated that, on average, there are only 37 publications per year of randomized trials assessing the effectiveness of diagnostic tests.”

The results of such careful testing can often be surprising; for example, for years, it was standard practice to utilize a pulmonary artery catheter (PAC) to optimize the care of critically-ill patients, before randomized controlled studies demonstrated the intervention was generally of little value.  A recent “obituary” for the procedure concluded, “there is no evidence that the use of the PAC has improved patients outcomes.”

The real issue, then, isn’t whether digital health is being excessively scrutinized: we unquestionably should continue to demand evidence for efficacy and impact.  But we – entrepreneurs, investors, care providers, stakeholders — also should recognize what an incredibly high bar this represents, a bar many traditional and long-established medical interventions and approaches would likely fail to clear.

David Shaywitz is co-founder of the Center for Assessment Technology and Continuous Health (CATCH) in Boston. He is a strategist at a biopharmaceutical company in South San Francisco. Shaywitz is also co-authored of recently published book, Tech Tonics: Can Passionate Entrepreneurs Heal Healthcare With Technology, available from Amazon here. You can follow him at his personal website.

Related Posts

Can Entrepreneurs “Cure” Health Care With Technology?

2012 Digital Health Investment Activity: The View From the Valley

Seriously: Is Digital Health The Answer To Tech Bubble Angst?

Who owns a patient’s health information?

• The patient to whom it refers?
• The health provider that created it?
• The IT specialist who has the greatest control over it?

The notion of ownership is inadequate for health information. For instance, no one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the legal right to do things like that to a “master copy” of health information.

All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.

Raising the question of ownership at all is a hash argument. What is a hash argument? Here’s how Julian Sanchez describes it:

“Come to think of it, there’s a certain class of rhetoric I’m going to call the ‘one-way hash‘ argument. Most modern cryptographic systems in wide use are based on a certain mathematical asymmetry: You can multiply a couple of large prime numbers much (much, much, much, much) more quickly than you can factor the product back into primes. A one-way hash is a kind of ‘fingerprint’ for messages based on the same mathematical idea: It’s really easy to run the algorithm in one direction, but much harder and more time consuming to undo. Certain bad arguments work the same way — skim online debates between biologists and earnest ID (Intelligent Design) aficionados armed with talking points if you want a few examples: The talking point on one side is just complex enough that it’s both intelligible — even somewhat intuitive — to the layman and sounds as though it might qualify as some kind of insight … The rebuttal, by contrast, may require explaining a whole series of preliminary concepts before it’s really possible to explain why the talking point is wrong.”

The question “Who owns the data?” presumes that the notion of ownership is valid, and it jettisons those foolish enough to try to answer the question into a needless circular debate. Once you mistakenly assume that the question is answerable, you cannot help but back an unintelligible position.

Ownership is a poor starting point for health data because the concept itself doesn’t map well to the people and organizations that have relationships with that data. The following chart shows what’s possible depending on a given role.

Click to view larger image

Ergo, neither a patient nor a doctor nor the programmer has an “ownership” relationship with patient data. All of them have a unique set of privileges that do not line up exactly with any traditional notion of “ownership.” Ironically, it is neither the patient nor the provider (when I say “provider,” this usually means a doctor) who is closest to “owning” the data. The programmer has the most complete access and the only role with the ability to avoid rules that are enforced automatically by electronic health record (EHR) software.

So, asking “who owns the data?” is a meaningless, time-wasting, and shallow conceptualization of the issue at hand.

The real issue is: “What rights do patients have regarding healthcare data that refers to them?” This is a deep question because patient rights to data vary depending on how the data was acquired. For instance, a standalone personal health record (PHR) is primarily governed by the end-user license agreement (EULA) between the patient and the PHR provider (which usually gives the patient wildly varying rights), while right to a doctor’s EHR data is dictated by both HIPAA and Meaningful Use standards.

Usually, what people really mean when they say “The patient owns the data” is “The patient’s needs and desires regarding data should be respected.” That is a wonderful instinct, but unless we are going to talk about specific privileges enabled by regulation or law, it really means “whatever the provider/programmer holding the data thinks it means.”

For instance, while current Meaningful Use does require providers to give patients digital access to summary documents, there is no requirement for “complete” and “instant” access to the full contents of the EHR. While HIPAA mandates “complete” access, the EHR serves to make printed copies of digitized patient data completely useless. The devil is in the details here, and when people start going on about “the patient owning the data,” what they are really doing is encouraging a mental shortcut that cannot readily be undone.

By DANI BRADLEY MS, MPH 

The United States is the only developed nation in the world with a steadily increasing maternal mortality rate — and C-sections are to blame. Nearly 32% of babies are born via C-section in the United States, a rate of double or almost triple what the World Health Organization recommends. While C-sections are an incredibly important life-saving intervention when vaginal delivery is too dangerous, they are not devoid of risks for mom or for baby. Hospitals and doctors alike are aware, as it’s been widely reported that unnecessary C-sections are dangerous — and hospitals and doctors agree that the number one way to reduce this risk is to choose a delivery hospital with low a C-section rate. However, information on hospitals’ C-section rates is incredibly hard to find, which leaves women in the dark as they try to make this important choice.

In an effort to help women make informed decisions about where to deliver their babies, we set out to collect a comprehensive, nationwide database of hospitals’ C-section rates. Knowing that the federal government mandates surveillance and reporting of vital statistics through the National Vital Statistics System, we contacted all 50 states’ (+Washington D.C.) Departments of Public Health (DPH) asking for access to de-identified birth data from all of their hospitals. What we learned might not surprise you — the lack of transparency in the United States healthcare system extends to quality information, and specifically C-section data.

After contacting 51 DPHs, 44 departments provided some level of birth data upon request — but the majority of those shared C-section rates for their state’s counties or districts, which doesn’t help when a patient needs hospital-specific data in order to select where she’ll deliver. Some states, such as Alabama, California, Massachusetts, Pennsylvania, Vermont, and West Virginia, have very transparent data-sharing practices, posting the vital data on their websites for the public to access and use. Other states, such as Wisconsin, Missouri, and Nebraska, put obstacles to accessing their data in place, including charging fees, requiring a signed data use agreement, and sometimes demanding institutional review board exemption. Still, six states — Illinois, Kentucky, Georgia, Wyoming, and Connecticut — outright refused to share their data, citing verbiage in their state’s statutes as the rationale.

Type of data shared from each state’s Department of Public Health

While it’s clearly difficult for patients to access these quality data on their own, thankfully there are organizations working to address the issue of unnecessary C-sections head-on. On the West Coast, the California Health Care Foundation developed a comprehensive initiative to reduce unnecessary C-sections, and on the East Coast, Ariadne Labs, a research group out of Harvard Medical School, has an entire department devoted to “Addressing the world’s most common and consequential surgical error: the decision to perform a C-section.” While these programs are making great strides, the U.S. could be doing a lot more to give the patient a voice and promote informed healthcare decision-making.

For organizations who want improve health outcomes, reduce healthcare spending, or enhance patients’ interactions with the healthcare system, allowing access to a comprehensive, accurate dataset of hospital C-section rates should be a top priority. The publication of C-section data at the hospital level would allow women to make informed decisions about their healthcare, mitigate unnecessary adverse outcomes, and reduce healthcare spending. Public data might also help influence change among healthcare providers and hospitals. Healthcare advocates, payers, patients, researchers, and the public alike need to band together to change this opacity. Mothers’ lives depend on it.

If you’ve yet not discovered Alexis Madrigal’s fascinating Atlantic article (#longread), describing “how a dream team of engineers from Facebook, Twitter, and Google built the software that drove Barack Obama’s re-election,” stop right now and read it.

In essence, a team of technologists developed for the Obama campaign a robust, in-house platform that integrated a range of capabilities that seamlessly connected analytics, outreach, recruitment, and fundraising.  While difficult to construct, the platform ultimately delivered, enabling a degree of logistical support that Romney’s campaign reportedly was never able to achieve.

It’s an incredible story, and arguably one with significant implications for digital health.

(1) To Leverage The Power of Data, Interoperability Is Essential

Data are useful only to the extent you can access, analyze, and share them.  It increasingly appears that the genius of the Obama campaign’s technology effort wasn’t just the specific data tools that permitted microtargeting of constituents, or evaluated voter solicitation messages, or enabled the cost-effective purchasing of advertising time. Rather, success flowed from the design attributes of the platform itself, a platform built around the need for inoperability, and guided by an integrated strategic vision.

It’s no secret that the greatest problem in health IT may be the challenge of interoperability, and the difficulty of sharing and accessing information in an easily actionable way (see here and here).  It also seems apparent that without seamless communication, and a clear view of what each end-user wants and requires, many of the powerful benefits of big data are certain to be lost.  It’s possible that established and emerging standards will be enough to enable robust sharing; if not, it’s easy to envision how a platform that successfully integrates a range of mediocre functionalities might easily drive out competitors offering more elegant but “stand-alone” functionalities.

(2) Drive Key Enabling Technologies, Don’t Wait For Them

As companies watch new and potentially important technologies come down the pike, they’re faced with an important decision: do they try to develop the capability internally (build), or should they purchase it from a vendor (buy)?    It’s clear from Madrigal’s article that a pivotal decision made by the Obama campaign was to build, and to recruit the world’s best developers to their organization.

I’ve previously argued that while big pharmas might benefit from this exact strategy – recruiting A-league players in big data — they instead seem prepared to watch from the sidelines, content for now to outsource this capability to large vendors.  Although ostensibly safe, this sounds suspiciously similar to the campaign strategy adopted by another seasoned corporate executive; his story did not end well.  While it would be imprudent to generalize from this one example, and it would be equally foolish to believe you can or should build everything from scratch, the contrasting campaign decisions, and fates, certainly highlight the risk of waiting for key enabling technology, rather than driving its development.

(3) Technology+Purpose=Awesome

It’s clear that while the team of engineers started the campaign project with mad tech skills, they were elevated and inspired by the sense they were working on something important and meaningful.  “They learned,” wrote Madrigal, “what it was like to have — and work with people who had –  a higher purpose than building cool stuff.”

It’s hard to imagine a more compelling purpose than using digital technologies to improve health.

David Shaywitz is co-founder of the Center for Assessment Technology and Continuous Health (CATCH) in Boston.  He is a strategist at a biopharmaceutical company in South San Francisco. You can follow him at his personal website. This post originally appeared in Forbes.

U.S. Sen. Charles Grassley (R-Iowa) sent a letter today to the Health Resources and Services Administration, criticizing its decision to remove a public version of the National Practitioner Data Bank, which has helped reporters and researchers to expose serious gaps in the oversight of physicians.

“Shutting down public access to the data bank undermines the critical mission of identifying inefficiencies within our health care system – particularly at the expense of Medicare and Medicaid beneficiaries,” Grassley wrote to HRSA Administrator Mary Wakefield. “More transparency serves the public interest.”

Grassley, ranking Republican on the Senate Judiciary Committee, continued: “Generally speaking, except in cases of national security, the public’s business ought to be public. Providers receive billions of dollars in state and federal tax dollars to serve Medicare and Medicaid beneficiaries. Accountability requires tracking how the money is spent.”

The National Practitioner Data Bank is a confidential system that compiles malpractice payouts, hospital discipline and regulatory sanctions against doctors and other health professionals. For years, HRSA has posted aggregate information from the data bank in a Public Use File that did not identify individual providers.

HRSA officials removed the public file from the data bank website last month because a spokesman said they believe it was used to identify physicians inappropriately. The Association of Health Care Journalists has protested the action, along with Investigative Reporters and Editors, Society of Professional Journalists, National Association of Science Writers, Reporters Committee for Freedom of the Press, and National Freedom of Information Coalition.

Grassley’s letter comes days after the official who created the Public Use File in the mid-1990s and managed it until 2008 said that HRSA was “erroneously interpreting the law” governing the data bank by removing the public version.

In a letter to AHCJ, Robert Oshel said HRSA officials have confused the requirements of the law.

“HRSA’s current management seems to confuse the law’s requirement that a public data file not permit use of its records to identify individual practitioners with a very different requirement, and one not in the law: that the file not allow the records of previously identified practitioners to be identified in the file,” Oshel wrote.

Oshel further wrote that HRSA’s view will “seriously hinder use of the file for important public policy research.”

“It seems disturbing and bizarre that HRSA would attempt to chill a reporter’s First Amendment activity with threats of fines for merely ‘republishing’ public information from one source and connecting it with public information from another. A journalist’s shoe-leather reporting is no justification for such threats or for HRSA to shut down public access to information that Congress intended to be public,” Grassley wrote.

Grassley asked Wakefield a series of questions and asked for responses by Oct. 21.

AHCJ President Charles Ornstein called on the Obama administration once again to restore access to the Public Use File. “Using this file, reporters across the country have preparedstories that have exposed holes in the oversight of doctors – and those stories have led to greater transparency and improved patient protections,” he said. “This information needs to be restored now.”

Pia Christensen is managing editor/online services at the Association of Health Care Journalists (AHCJ). She assists with the editing and production of AHCJ’s publications, including books, conference programs and the quarterly newsletter.

This post first appeared at Covering Health, the blog of AHCJ.