Wednesday, June 20, 2012
For the last three Junes, HHS has sponsored “Datapaloozas”: summits (otherwise known as the “Health Data Initiative Forum I, II, and III”) designed to highlight the vast resources of health information possessed by the federal government (and elsewhere); to showcase the impressive knowledge to be gained from their use; and to stimulate the development of innovative consumer, community, and industry tools that capitalize on their capabilities. These data summits have so grown in popularity that they are now held in the Washington, D.C., Convention Center. Todd Park, the dynamic former chief technology officer of HHS and now White House chief technology officer, is the enthusiastic champion of these events. “Data liberation” is the rallying call.
These events are moments of genuine excitement. This year’s was keynoted by a speech from HHS Secretary Sebelius, highlighting the importance of innovation in health care. Attended by over 1600 people, the Datapalooza starred “Rockstars” of health care innovation—and also featured the music of at least one more conventional rock star, Jon Bon Jovi. Major sponsors of this year’s Datapalooza were the Robert Wood Johnson Foundation; the California HealthCare Foundation; the Department of HHS; the Institute of Medicine; esri, a commercial provider of geospatial technologies; Healthways, a commercial provider of well-being services; the Jewish Healthcare Foundation; and Feinstein Kean Healthcare, a communications firm serving the health care industry. As this sponsor list indicates, the Datapalooza is of great public health, research, and commercial interest.
A primary feature of these Datapaloozas is prizes for health apps that demonstrate creative marriages of technology and data in the effort of improving individual or community health. At this year’s event, the RWJ Foundation announced that Symcat’s symptom checker was the winner of its $100,000 developer challenge prize. Symcat is a start-up company founded by two medical students at Johns Hopkins that uses “big data” analysis to help consumers make good decisions about their health. Using Symcat, consumers can enter information about their symptoms, receive information drawn from CDC data, and get physician referrals drawn from RWJ data.
Another prize awarded at the Datapalooza is “Go Viral to Improve Health,” a challenge for college and university students offered by the Institute of Medicine. The goal of the challenge is to develop an app or a social networking platform that responds to their community’s health needs. This year’s winner of the $10,000 prize was VaxNation, an app that lets families keep up with their immunizations. At the Datapalooza, Aetna announced another large prize—of $100,000 to be shared between two winners of a challenge to develop apps for Aetna’s CarePass Platform.
Many other apps were also featured at the Datapalooza, some in plenary or breakout sessions and others in a large exhibition space. Among the featured companies were Castlight Health, a “Health Care Shopping breakthrough” allowing consumers and companies to reduce costs; Humetrix, with its iBlueButton app that allows patients to download health information for their providers; MEDgle, a scalable decision support tool for both physicians and patients; and myDrugCosts, an app that allows consumers to search for lower cost generic equivalents of drugs they have been prescribed,
Not all of the featured apps were commercial, either. For example, the Cancer Survivor Query System maintained by the National Cancer Institute allows patients to input individual data to estimate their survival probabilities given different treatment options. This system uses public use data sets to generate the predictive information.
In many respects, these developments are to be celebrated. Open government—and open governmental resources—bring a wide variety of public benefits. But there is a dark side. With data flows and data uses come the obvious data risks—to security, privacy, and confidentiality. HIPAA—the current regulatory structure applying to most of the information gleaned in patient care today—is not up to the Datapalooza challenge, for several important reasons, two of which I’ll highlight in this post.
First, HIPAA simply gives de-identified data a pass. Data that have been de-identified to its standards are not considered protected health information and so do not come within HIPAA’s scope. Most of the data employed by the Datapalooza developers is de-identified data, hence outside of HIPAA. There is much controversy about the likelihood that de-identified data can be re-identified—but agreement that probabilities rise with the combination and increased power of data sets. Combinations—“mash ups”—of data are exactly what the Datapalooza is intended to encourage. Even without re-identification, an additional concern about the use of de-identified data is the probability of drawing reliable inferences about individuals once data cells are sufficiently small and populations sufficiently homogeneous. And there is always the question of whether everyone whose data are involved in a particular use would be happy—or at least not morally outraged—by the use of data drawn from them in that way.
Second, under the HIPAA privacy rule data transfers for public health purposes do not require patient authorization, at least as long as they are public health purposes authorized by appropriate law.
Perhaps this is as it should be, given the importance of public health to communities. Nonetheless, this means that patients may be largely unaware of data flows that are occurring and must trust public health entities to protect data adequately both when data are used by the entities themselves and when the data are made available to others. Without careful agreements to ensure that downstream uses remain appropriate—and supervision to follow up—public data may be at genuine risk.
My goal in this post has not been to downplay the genuine accomplishments of the Datapalooza, nor could it be. But it has been to highlight the variety of activities that are being encouraged, and the importance of adequate security and privacy protections to accompany them. Next year, I would hope to see a “security” or “privacy” challenge at least as rich as the one offered by the IOM to college and university students.