Our Perspective on Healthcare Data Challenges
The U.S. healthcare system can be frustrating — for patients, providers, payers, and policymakers. Many of these frustration points are caused by systemic data issues that lead to administrative headaches, higher risk of data exposure, information silos on the provider and payer side, and redundant or ineffective treatments and wasted dollars on the patient side.
These issues are widespread. They’re hard to solve. And addressing them is crucial to the long-term sustainability of our healthcare system.
Here at Nuna, we spend a lot of time thinking about the complexities of healthcare data, and we believe everyone — whether you’re a consumer of healthcare, an industry insider, or someone who manages healthcare benefits for others — should give them some consideration, too. If we want things to change for the better, we need to know what’s happening, why it’s happening, and how we can contribute.
What Are the Core Data Challenges in Healthcare?
When we think about the healthcare landscape today, there are two main categories of data issues that impact patients, providers, and payers:
- Privacy and Security: Every participant in the healthcare system is concerned about protecting sensitive, personal data from exposure. This exposure can happen through unintentional data breaches by healthcare entities, or intentional hacks by malicious third parties.
- Access and Interoperability: If data flowed more freely through the healthcare system, everyone’s lives would be easier. Patients would have fewer paperwork headaches as they move between health systems. Providers would have more insight into their patients’ medical histories when developing care plans. And payers would have a better understanding of members’ entire care journey to inform contracting and care routing.
On the surface, these two categories may seem opposed to one another — but actually, they’re complementary sets of concerns. Kimberly Silverio, Privacy Officer at Nuna, says:
“These concerns are not not necessarily in conflict. It’s critical that healthcare organizations and technology firms work together in reimagining privacy and security controls to ensure that data flows freely, but in a manner that’s more advanced than was envisioned when the current regulatory framework was created.”
How Did We Get Here?
All participants in our healthcare system carry the burden of these data challenges. How did this happen? A unique intersection of rapid technology evolution, slow-moving regulatory and legislative bodies, and widespread lack of accountability got us to where we are today.
Technology Evolution
Until recently, health records and claims were pieces of paper stored at clinics, labs, hospitals, and insurance company offices. This system made it difficult to transfer information from one entity to another, which meant information was locked up in institutional silos. The burden was on the patient to retrieve copies of their records and pass them along to new providers.
As electronic health records (EHRs) and online patient portals replaced traditional paper record keeping, everyone hoped that data would start to flow more freely between systems — or at the very least, make it easier for patients to access their own data. But this largely hasn’t been the case. Even with federal ARRA seed funding to subsidize the purchase of EHRs, MACRA’s standards for Meaningful Use, and subsequent performance payments tied in part to advancing care information as part of the Quality Payment Program, data silos still persist. Now, instead of having data locked up in onsite filing cabinets, it’s locked up in EHRs that don’t talk to one another.
Lindsey McCandless, Director of Quality Measurement at Nuna, says:
“Meaningful Use enabled many providers to put EHR systems in their offices. These EHRs met the overarching requirements, but they weren’t designed to be interoperable. The legislation that established Meaningful Use assumed EHRs were a silver bullet and that provision of medical care was uniform enough that all clinicians, regardless of specialty, would incorporate the technology into their workflows. But it didn’t consider that the infrastructure would vary widely between settings of care, or that requirements placed on providers to successfully attest to Meaningful Use Stages 2 and 3 would require the collaboration of external technology vendors who aren’t subject to the requirements.”
In other words: While EHR adoption is widespread, data isn’t flowing more freely between providers and patients, or between healthcare entities.
These data silos continue to cause problems for patients and providers who need to access information. But more than that, they open up healthcare data to further security and privacy risks. Kimberly says:
“Data silos are not in the best interest of the patient. Although maintaining the privacy and security of segmented data seems to be a simple route to compliance across a wide distribution of covered entities subject to HIPAA and state privacy laws, the scattered and inaccessible data that results from fragmentation, and lack of interoperability between systems, actually works against organizations that want to meaningfully improve healthcare delivery. Patients may be at a higher risk for breaches of their personal information if their PHI is stored in a number of different systems.”
Legislation Gaps
The current laws that govern healthcare privacy, security, and interoperability — namely HIPAA and state-level legislation — haven’t kept pace with the way patient data is generated, stored, and transmitted. Kimberly says:
“Because healthcare privacy laws and regulations were written prior to the advent of patient portals and electronic health records (EHRs), the burden of transferring data between providers is exacerbated. Now we can share data more easily, but the regulatory constructs to appropriately secure and manage the data have been slower to evolve.”
Additionally, statutory provisions like MACRA’s Meaningful Use have significant loopholes that limit their effectiveness. Lindsey says:
“Providers were held accountable for Meaningful Use requirements, but in reality, these requirements were tied to technology features being provided by vendors. A change in the accountability structure so vendors must also meet interoperability and access requirements would be necessary for this to work. There has been discussion about whether there’s a role for the FDA or ONC to regulate rather than provide oversight of EHR technologies, but no one has taken up legislation yet.”
Lack of Accountability
While healthcare organizations are accountable for maintaining the privacy and security of patient data, and for providing patients with access to their own health data upon request, they’re not accountable for making that data available to other entities, or for what happens to that data when another organization accesses it for legitimate reasons.
Since no central entity or organization is accountable for data governance, each participant focuses on their one small part of the data ecosystem — which further contributes to data fragmentation, lack of transparency, and security risks.
“There are likely several reasons why we see these silos, which independently and collectively further the status quo. Currently, health systems have a competitive edge when they maintain patient health data within the system,” says Lindsey. “Data sharing falls outside the clinical workflow for providers, including what data needs to be shared and to whom. Everyone’s afraid of violating HIPAA. And cultural change is hard and requires a top-down commitment, which we haven’t yet seen, likely because the incentives haven’t been sufficient to foster accountability.”
Where is there room for improvement?
The healthcare system won’t make improvements to data security, privacy, and accessibility standards without pressure to change. There are three groups that are well-positioned to apply this pressure: lawmakers, payers, and patients.
Policy Changes
Lawmakers in Washington have ample runway to improve existing legislation governing healthcare security and accessibility. There are a few current proposals that could be promising:
- A proposed rule from ONC outlines illegal data blocking practices, reinforcing other legislation like the 21st Century Cures Act, which makes it illegal for health systems and EHR vendors to interfere with the exchange of health data in order to keep patients within their networks. HHS’s Office of the Inspector General will eventually enforce the info-blocking law, but first ONC must define which practices are exempt. In the interim, CMS is taking the lead on advancing data interoperability and access, hoping that healthcare partners will step in and help advance this initiative.
- The Government Accountability Office (GAO) is putting pressure on CMS to develop tighter data security guidelines for researchers who study Medicare data, similar to the controls it puts on data use by Medicare Administrative Contractors (MACs) or qualified entities. Under the existing guidelines, researchers have more flexibility to independently assess their security risks, but it increases the risk that external entities possessing agency data are failing to meet CMS data security standards.
- SAMHSA led a regulatory effort to modernize outdated regulations that made it difficult for providers to deliver comprehensive care to individuals suffering from substance-use-related illnesses. They recognized that the legal protections against disclosure of alcohol and substance use disorder information actually led to fragmented treatment.
Incentives
“Healthcare data should be considered in two parts: data that benefits the patient, and data that benefits the healthcare organization,” says Kimberly. “Efforts to protect data that benefits the patient should be emphasized over the protection of data that benefits health organizations. Organizations traditionally have benefitted from treating health information as proprietary, leveraging this currency to increase market share or impact in the healthcare industry.”
As healthcare providers and payers continue to move away from fee-for-service and into value-based payment arrangements, provider and payer incentives must change. If everyone is responsible for patient health outcomes and keeping costs down, then improving access to healthcare data will become crucial. Keeping data siloed in a single system to decrease transparency and increase friction for patients trying to seek care elsewhere might be beneficial in a fee-for-service arrangement, but it hurts all of the players in a value-based arrangement where risks and rewards are shared.
Patient Education
While patients may “own” their healthcare data, they often don’t have visibility into who has it, what they’re using it for, or who it’s being shared with. But patients have the power to proactively request more information and advocate for additional protections. Kimberly says:
“Patients are provided with a Notice of Privacy Practices (NPP) whenever they receive services from a healthcare provider who’s subject to HIPAA regulations. Patients have a right to an Accounting of Disclosures, which is a listing of PHI disclosures made that weren’t made for the purposes of treatment, payment, or healthcare operations.
“Additionally, patients should advocate for a more granular description of what constitutes healthcare operations under HIPAA, either individually or through consumer groups. This term is often used as a carte blanche provision for a healthcare entity to disclose PHI to other entities, which may serve the patient as a byproduct but not as the primary purpose of that data use. Patients should request more authentication and tracking of redisclosures so they can understand how their data moves across systems and between providers.”
What’s Nuna Doing to Address These Data Challenges?
No single player in the healthcare system can overcome these monumental data challenges alone. As a technology company, Nuna takes these challenges seriously and works to address them in our data platform and analytics work with government healthcare programs, self-insured employers, health plans, and provider systems. Here’s how:
- Accessibility: We work with clients to improve data interoperability and transparency by creating centralized data warehouses and reporting dashboards. For example, we’re working on T-MSIS, the first cloud-based, centralized repository for Medicaid and CHIP claims at the national level.
- Security: We prioritize a culture of security at Nuna. Not only do we follow stringent protocols and guidelines, but we also employ a high-caliber security team to maintain proactive protection against threats of data leaks and exposures.
- Privacy: We treat data integrity as an ethical obligation, not just a legal one. We collaborate with our clients to ensure that we handle data in a way that upholds their members’ right to privacy.
We believe that solving the data problems underpinning our healthcare system will contribute to making higher-quality, more affordable care accessible to everyone in the long run. These challenges are substantial, but in the end, surmountable. We’re honored to partner with changemakers throughout the system to improve the way data is stored, analyzed, and shared.
Want to take on healthcare data problems? We’re always looking for smart, passionate people to join the Nuna team!
