Life Science Compliance Update

February 03, 2016

ICMEJ Proposes Data Socialism – Data Utopianism Has its Cracks - Comments Due April 18

The International Committee of Medical Journal Editors (ICMJE) recently put forth a proposed set of new requirements for sharing data that was generated by interventional clinical trials. The ICJME believes there is an ethical obligation to responsibly share such data because the participants in the trials put themselves at risk.

Essentially the ICMJE is proposing that as a condition of consideration for publication of a clinical trial report in their member journals, the authors must share with others the deidentified individual patient data (IPD) that is underlying the results presented in the article, including any tables, figures, appendices, and other supplementary material, no later than six months after publication. This proposed requirement will include all data underlying the results of the article's findings, as well as any necessary metadata.

As you can imagine, there are strong opinions on both sides of this proposal. Those who are arguing for it, claim, "many funders around the world – foundations, government agencies, and industry – now mandate data sharing." You know, that whole, "everyone else is doing it, we should too," mentality that our parents warned us about when we were younger.

Those who are against it have a multitude of opinions and reasons for being against it. Some go so far as to refer to those who support data sharing as "data parasites," since they latch onto research that has already been painstakingly performed and utilize it for their own purposes.

Analysis

This new proposed rule may sound like a nice idea, having the ability to reexamine high-quality information for the possibility of new information being found, potentially resulting in higher patient satisfaction and longevity. However, as just about anyone who has ever managed clinical studies, performed data collection and analysis, or curated data sets knows, there are a litany of concerns over such a proposal. Dan L. Longo, M.D., and Jeffrey M. Drazen, M.D., penned an editorial laying out some of their concerns from that perspective.

One such concern is that someone who is not involved in the generation and the collection of the data will not understand the choices the researchers made in defining the parameters. Some specific questions raised by Longo and Drazen included, "How heterogeneous were the study populations? Were the eligibility criteria the same? Can it be assumed that the differences in study populations, data collection and analysis, and treatments, both protocol-specified and unspecified, can be ignored?"

A second, very valid, concern, is that an entirely new class of research person will emerge – someone who had nothing to do with the design and the execution of the study, but use another group's hard-earned data for their own ends. These "stealers of data" can then use the data to steal research productivity planned by the data gatherers, or even use the stolen data to disprove the original researchers analysis.

Data sharing may not be all bad, depending on how it is performed and what requirements are in place. Longo and Drazen posit, for example, that if data sharing were to work symbiotically, with collaborators whose collected data might be useful in assessing your hypothesis, it might be beneficial for all parties involved, including patients. Throughout the symbiotic relationship, the two (or more) teams of researchers work together to test a hypothesis and report new findings with coauthorship, acknowledging the group that proposed the new idea and the investigative group that pursued the data and allowed it to be tested.

It is interesting to note that four days after jointly submitting an editorial piece with Dan Longo, M.D., Jeffrey Drazen, M.D., walked back part of it. He clarified that the New England Journal of Medicine, the forum for the initial editorial, is "committed to data sharing in the setting of clinical trials." He went on to comment that he believes "there is a moral obligation to the people who volunteer to participate in these trials to ensure that their data are widely and responsibly used" and that "researchers who analyze data collected by others can substantially improve human health."

In the walk back, he concludes by once again bringing up data sharing through collaboration, signaling that such form of data sharing may be palatable to more than just the "data socialists" who want to take your hard-researched data a mere six months after the publication of your findings.

Saurabh Jha, a radiologist in Philadelphia, summed it up nicely,

It takes a lot of effort to generate data in biomedical sciences. To expect researchers to surrender the data for the greater good is fuzzy, and lamentably boring, adolescent naivety. If we do not recognize the self-interest of researchers, data socialism, like other forms of socialism, is condemned to failure.

If you would like to provide feedback on the ICMJE proposal, you may submit your comments and concerns to the International Committee of Medical Journal Editors by April 18, 2016.

For More Background on This Controversy David Shaywitz, MD at Forbes has a great series:

Data Scientists = Research Parasites?

Biden Cancer Project: An Opportunity To Implement Data Sharing Incentives    

Do We Really Want To Separate Clinical Data Gathering And Data Analysis?

        

 

 

 

January 29, 2016

ProPublica HIPAA Helper or HIPAA Wall of Shame

ProPublica, the same organization who brought us "Dollars for Docs" and the "Surgeon Scorecard," is once again making a foray into the medical transparency world. This time, they focus on the Health Insurance Portability and Accountability Act (HIPAA), and provide information on whether "your hospital, clinic, pharmacy or health insurer has been named in patient privacy complaints, breaches or violations."

In creating this "HIPAA Helper," ProPublica sifted through data provided by the U.S. Department of Health and Human Services Office for Civil Rights (HIPAA's enforcer), the California Department of Public Health, and the U.S. Department of Veterans Affairs.

How Does it Work?

Patients and the general public can go to the HIPAA Helper and search for providers and hospitals in the search box. Once the search is completed, a list of results will be displayed. A brief explanation of the issue and any outcome will be included in the results list. One can click on the date and get a more "in depth" look, which explains which database ProPublica found the complaint logged in, as well as how many "other reports" cite the alleged violation.

Many news outlets around the country have already taken the liberty of looking up their local hospitals and care facilities and reporting on "privacy violations" that have allegedly taken place at those hospitals and care facilities. According to the website major HIPAA violators included the Veterans Administration, CVS, Walgreens, Walmart, and Kaiser Permanente.

Concerns

While we are wary of the HIPAA Helper and the reliability of the data included, our concern does not stop there. We have previously written about the Surgeon Scorecard possibly being used by the American Board of Orthopaedic Surgery for assessing competency in surgeon recertification. Fears that this HIPAA information could also be used for similar purposes are looming, front and center.

However, equally as concerning, as previously alluded to, is the concern that the data is not reliable. Unreliable data has been proven to dissuade patients from seeing certain doctors and using certain hospitals. The possibility that the information found within the HIPAA Helper is not completely accurate and may lead to similar situations in the future is a major concern.

ProPublica has already proven that their information is not always fully reliable and accurate. As we previously wrote, Rand Corp. took issue with the methodology and accuracy of the Surgeon Scorecard by ProPublica. Rand considered the issues with methodology alone to be "so serious that patients should not view the Scorecard as 'a valid or reliable predictor of the health outcomes any individual surgeon is likely to provide.'"

The information found in the HIPAA Helper is so broad and will likely prove to not be very helpful to patients. One example, from the U.S. Department of Veterans Affairs, involves a "reported breach of medical information" that was also cited in "336 other reports." The only description of the issue is "Unauthorized Access/Disclosure Involving Paper/Films."

Another problem is a mere complaint versus an actual violation will get you on the list. This could eventually serve as a vehicle for intimidating health systems or pharmacy chains by simply increasing the number of complaints.

Not only is the information overbroad, but in some cases, it isn't even there. A search of "Quest Diagnostics," for example, comes up with 59 results, but the top results are full of issues where the "data [is] not available." It is questionable what good such a result will do for patients, as there is absolutely no information on the alleged violation, not even an overbroad one.

Conclusion

It does not seem as though ProPublica offers a "legend" of any sort to help aid in patient understanding, nor does ProPublica make an attempt to explain what the aforementioned "Unauthorized Access/Disclosure Involving Paper/Films" problem, or any of the other cited problems, mean. The lack of clear information and explanations may very well wind up being a curse to patients and the medical professionals that aim to serve them.

Another Transparency Threat – Health Education Exchanges and Medical Identity Theft

We have previously drawn attention to some of the downsides of transparency as it relates to medical information. Those downsides typically revolve around the Sunshine Act and Open Payments data. However, there is another major concern about a yet another aspect of medical information transparency. Electronic health records, which allow a primary care physician to quickly send information to other physicians, are starting to become more prominent, easily accessible, and dangerous.

Health information exchanges (HIEs) allow doctors to share information amongst each other and help healthcare agencies to track and respond to emerging health threats. Storing patient medical records in the cloud instead of on-site helps cut down on IT costs and storage costs, and allows medical providers to focus on their primary mission of providing healthcare to patients.

While there are some positives to health records being easily accessible by medical professionals, medical data being so easily accessible also presents a huge attack surface for cyber thieves. A recent Ponemon Institute survey reported that 2.3 million adult patients were victims of medical identity theft in 2014 and those victims spent an average of $13,500 trying to restore their credit, pay off fraudulent medical claims, and clean up their health records.

While the 2014 figures may astound you, The Washington Post reports that the Department of Health and Human Services (HHS) estimates over 120 million Americans have had some of their protected health information (PHI) compromised in data breaches since 2009.

Individual companies and agencies have reported their own data breaches of PHI as well. Excellus BlueCross BlueShield suffered a data breach that affected 10.5 million people; Premera had a breach that affected up to 11 million people; and the Office of Program Management breach affected up to 21.5 million. It is estimated that in total, as much as half of the United States population has had PHI compromised.

These data breaches are the results of a new form of cyber attack. While there isn't just one purpose or motivation behind cyber attacks, there are several plausible ones. One reason may be because when the cyber attackers steal medical identities, they are able to monetize the financial information included within them. Dwayne Melancon, chief technology officer with Tripwire, says that the healthcare industry is ahead of the retail industry, but behind the financial industry, when it comes to protecting consumer data. The growth of the Dark Web has provided a ready and simple market for thieves who sell financial and other personal information, such as medical records. As such, it is possible that cyber attackers are turning to an easier approach when it comes to taking your financial information.

Further, while financial information can be monetized almost immediately, medical records can take a bit longer to exploit. If someone seeking medical treatment is using health information of another patient to receive free medical care, they need to be sure their provider doesn't already know who the real patient is and that the identity they stole matches them and their health issues close enough so that the fraud will not be immediately detected.

It isn't just the possibility of free medical care that could be motivating healthcare cyber attackers. Personal medical information can also be useful to those perpetrating phishing attacks. Parents of children who are terminally ill who receive calls from their doctors, or others purporting to be linked to the doctor, are not likely to be as cautious when told their child has been recommended for a promising clinical trial, and may give financial information over the phone.

Another use for stolen health data is extortion. UCLA Health dealt with a data breach in July 2014, after which Jeff Hill, channel manager at STEALTHbits Technologies, speculated that part of the motivation for attacking an LA-based health system is to find personal health information on celebrities and hold that information for ransom or sell it to news organizations. He states that, "[t]he most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc."

Unfortunately, these data breaches are not always avoidable. Dwayne Melancon stated, "There is a tendency to say a company didn't know what they were doing. That is not always the case...In a lot of those cases it isn't negligence, its just something people could not foresee. If they were taking reasonable measures and still got compromised, it may be that they had well-resourced, determined attackers, and any organization could be vulnerable to that."

When personal health information is exposed through breaches, patient lives can hang in the balance. It is important for all decision makers in healthcare organizations to understand these threats and work to combat them daily, from IT staff to privacy and compliance staff.

Newsletter


Preview | Powered by FeedBlitz

Search


 
Sponsors
February 2016
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29