Report Examines Patient Trust, and Distrust, in Healthcare Data Sharing

By Matt Phillion

In its recent State of Patient Privacy report, health information network and interoperability provider Health Gorilla surveyed more than 1,200 patients in the U.S. on health data security concerns and found that while 71% of patients are comfortable with providers accessing their data without their explicit consent, smaller numbers are comfortable sharing data for payment-related purposes (39%), operations-related purposes (28%), and public health purposes (23%).

Respondents also said that they are concerned about the possibility of a data breach impacting their medical records (95%), expressed distrust in Big Tech corporations storing their data (65%), and cited worry about security and privacy protections offered by vendors who handle their health data (54%).

“What’s really striking to me in the findings is the fact that such a big percentage were uncomfortable with their data being shared for treatment. This was enshrined in HIPAA in the last century and has been the law of the land for as long as many people have been alive,” says Steven Lane, MD, MPH, chief medical officer with Health Gorilla. “One of the key tenets of HIPAA is that covered entities can share data.”

This finding demonstrates a disconnect between patient understanding and patient expectations, Lane notes. Patients expect physicians to know what has happened to them when they visit their physician, and no one wants to fill out the same clipboard worth of information again each time they visit the doctor.

“This is especially true in a coordinated system, and people have become accustomed to interoperability,” says Lane. “What is the residual 29% who are uncomfortable with sharing data for treatment? I know I’ve heard stories of patients saying they were coming to a new doctor for a fresh start and didn’t want them to have any preconceptions, but I want to reassure them that the sharing is appropriate and that it follows the minimum necessary uses.”

HIPAA rules cover payment and operations uses, yet less than 40% of respondents said they are comfortable with payment uses, and less than 30% are comfortable with operations-related uses. “How do they expect their providers to manage their care or billing if they’re not sharing their data? I’d like to sit down and have a conversation with them—there seems to be on the surface a lot of distrust,” says Lane.

With so many data breaches making headlines in the past few years, Lane posits that there’s more general awareness about these breaches. The nosiness of non-medical technology may play into patients’ wariness as well. “As soon as you go somewhere or say something out loud, advertisers know about you,” he says. “But there seems to be a tendency to be wrong about HIPAA in both directions; things that need to be kept secret that aren’t and the other way around. I wish this could be part of a civics class on how to be an informed citizen and an appropriate consumer and curator of your own health data, where it lives, and how to access it.”

Tensions related to reproductive health data and gender-affirming care information have also escalated the conversation about how health data is handled, but the public doesn’t always keep pace with what is happening at the federal level to protect their information. “To me, it reflects a lack of understanding that even the most wonderful PCP who handles 90% of your care can’t provide care without data,” says Lane.

Public health data collection is of particular concern. “Much has been said about the role of public health, and it’s been so politicized during the pandemic, but to see fewer than a quarter of respondents say they’re comfortable with their data being shared for public health purposes shows there’s a lack of understanding in the laws that govern how providers must report public health data,” says Lane. “For generations we’ve shared public health information, and there’s a huge gap between the reality [and the] perception of this.”

A notion of individual control

Sharing information can help with challenges of accessibility and access, Lane notes, particularly for areas where a Main Street pharmacy is able to provide care locally to patients who may be 50 miles from a physician or medical center. “How we get data to and from pharmacists so they can play a bigger role is very important,” says Lane.

But in the scenario of a Main Street pharmacy, the cashier might be a neighbor; that might be where some of patients’ distrust comes from. “You might say, ‘I don’t want someone who knows me to know I’m on birth control or taking HIV prophylaxis,’ ” says Lane. “There’s a traditional trust in the provider, but they may not understand that these other people along the way are part of HIPAA-covered entities.”

It comes down to a notion of individual control over health information, Lane notes. “What is lacking is an ability to say, ‘I’m fine sharing my data about my blood pressure or sprained ankle, but not about my depression or other sensitive topics,’ ” he says. “We must develop a process for flagging that highly sensitive data and treating it differently or asking for special permissions.”

Only in the past few weeks and months have we seen proposed rules for how to treat reproductive health data, and we only recently witnessed an ongoing battle over gender-affirming care in Tennessee.

“Given the current social milieu, it’s understandable people are concerned with how something they didn’t consider in the past could come back to bite them today,” says Lane. “We’re at risk of losing the benefits of everything we’ve done. We’ve spent 20 or 30 years digitizing medicine and 15 years addressing the challenges of interoperability, and when it works it can save your life or save money or get you the best care. But then there are unintended consequences, from privacy breaches to weaponization of data, and now we have to mitigate those risks.”

Those mitigations might involve laws, technology, or workflows, but the goal is to reach a point where we can tag data as needed. Much of this boils down to personal preferences, though. What does each patient consider highly sensitive data?

“There are all kinds of sensitivities we can’t predict, even if you know the patient well, and if you don’t know the patient it’s totally guessing. Health data comes in different flavors, and theoretically you can control that, set everyone up with a thousand switches,” but doing so would not be feasible or efficient, Lane says.

He says there are steps in the right direction, though. They start with HIPAA and the right of individuals to request restrictions on the use and exchange of their data, a rule that has been in place for decades. “You’ve got a right to request that restriction, and providers must adhere to it,” says Lane.

The Data Segmentation for Privacy (DS4P) final rule addresses the exchange of sensitive information on a more granular, conditional level of consent, and the Office of the National Coordinator for Health Information Technology (ONC) is discussing how to require certified health IT EHRs to manage restrictions.

“We’re really just now seeing the technology, and frankly the cultural needs are catching up,” says Lane. “The ONC is going to have a new rule that raises the bar for vendors of certified health IT to have certain pieces of functionality. We want to be right out in front of this.”

Lane would like to see restrictions discretely captured in the metadata that accompanies healthcare data. “I think this is the first step. If someone places a restriction, then at least let the people you’re sending the data to know that restriction,” he says.

The other component is coming to an agreement about the definitions of highly sensitive data classes so organizations and providers can manage them differently. “As a piece of that, there needs to be some approach to managing different state laws,” says Lane. “One approach is to try to get rid of those differences, to have federal laws that overrule the local one.”

Healthcare travels—people move across states to receive care, and most healthcare systems have compliance staff to track differences in state laws, but this is an expensive burden, so the industry needs a way to standardize this information.

“The survey had a lot of interesting insights, but more than half of people don’t trust Big Tech vendors to manage their data, and it’s been so hard for people to move forward. This isn’t like managing your grocery data,” says Lane. “I think certain players are architecturally better prepared to address these concerns about health data.”

Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at matthew.phillion@gmail.com.