Governance & Risk Management , HIPAA/HITECH , IT Risk Management
Big Data Healthcare Project Raises Privacy IssuesTruveta Initiative Involves Sharing De-Identified Data From 14 Provider Organizations
Some privacy experts are raising concerns about Truveta, a new big data collaborative research effort involving 14 U.S. healthcare providers. The providers plan to share de-identified data on tens of millions of patients in an effort to advance personalized medicine - targeted treatments - through the development of an artificial intelligence and machine learning-based platform.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The participants in Truveta are: AdventHealth, Advocate Aurora Health, Baptist Health of Northeast Florida, Bon Secours Mercy Health, CommonSpirit Health, Hawaii Pacific Health, Henry Ford Health System, Memorial Hermann Health System, Northwell Health, Novant Health, Providence Health System, Sentara Healthcare, Tenet Health and Trinity Health.
"Through structuring, normalizing, and de-identifying data from these health providers, a new data platform will be built, with careful protection of patient privacy and security," according to Truveta's launch statement.
De-identifying data doesn't necessarily eliminate privacy risks, says privacy attorney David Holtzman of the consultancy HITprivacy LLC.
"Truveta has not ruled out that it will partner with other data processing companies that may integrate vast stores of data about individuals gathered or collected for many purposes," he points out.
"HIPAA does not prohibit an organization from de-identifying data for secondary uses," Holtzman notes. "Once data is de-identified, it's no longer protected by HIPAA. The concern is that when Truveta allows large data processors to have access to great stores of data collected about individuals, how will this de-identified data be used in the AI environment to be associated with identifiable data?"
A Truveta spokeswoman tells Information Security Media Group that the new company is pursuing "the most stringent security certifications."
Plus, Truveta has engaged ethicists "to ensure compliance with ethical treatment and use of patient data," she adds.
The company is in the early stages of building the AI platform, she explains. "To date, we have received a small set of fully de-identified test records for use in modeling and creating the Truveta platform," she says.
Truveta's software implements two health data de-identification methods that are compliant with HIPAA's "expert determination” and “safe harbor” provisions, she notes.
"Truveta will not receive any protected health information until specific criteria is met, including completion of security certification milestones for the platform, verified by health provider audit and legal teams and independent external reviews."
Truveta is currently working on achieving external certifications from ISO, SOC2, and HITRUST, she adds.
So what kind of patient data will be shared by Truveta's member organizations, and how will that get de-identified?
"The Truveta platform will structure and normalize a wide range of data across structured and unstructured data types to unlock the power of de-identified data across all diagnoses and demographics," the spokeswoman says.
Truveta also provides the software for de-identification to each healthcare provider. "Before data is integrated into the Truveta data platform, it is de-identified," she adds.
"It looks like the participants will attempt to 'grandfather' consent. Not sure this passes the smell test."
—Steven Teppler, Mandelbaum Salsburg P.C
For many years, patients have entrusted health providers with biomedical information, with the knowledge that it would be used to advance human health, the spokeswoman says.
Potential Red Flags
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C. says the Truveta project raises some privacy and security red flags.
For instance, the 14 healthcare organizations participating in Truveta should disclose the existence of the new entity and ask patients for express consent to PHI usage, de-identified or not, for this specific project, he says.
"Have patients been given some notice that their information will be stored in what is now an untried and tested third party?" he asks. "It looks like the participants will attempt to 'grandfather' consent. Not sure this passes the smell test."
Also, Truveta should make clear if it will be "monetizing" patients' data by providing it to other third parties, he says.
The vast collection of patient information from 14 organizations raises concerns about potential data breaches, Teppler adds.
"Using the weakest link in the chain approach, this amplifies risk, as it assumes that all participants have equally robust security infrastructure and policy," he says.
If Truveta is as the equivalent of a managed service provider with access to participants' sensitive data, the company must learn from the massive fallout from third-party vendor breaches, such as the SolarWinds supply chain attack, Teppler notes.
"I would also like to know where and how any of Truveta’s infrastructure is outsourced to vendors and what measures are taken to ensure vendor enforcement."
Regulatory Paul Hales of the Hales Law Group says the Truveta effort holds promise for helping advance medical breakthroughs, but strong safeguards must be in place.
"Sophisticated procedures to analyze detailed health information gathered from large numbers of patients offer extraordinary opportunities to advance medical science," he notes. "Accurate data assembled from real patients is essential."
Still, while guardrails, such as Truveta de-identifying data are in place, "the people who handle the data and do the research are the ultimate guardians of patient privacy," Hale notes. "While anonymization of patient data is challenging, I think there is no question that Truveta’s success in maintaining patient privacy will hinge on its management and careful supervision of the people who do the work."
Similar Big Data Initiatives
In recent years, a few other similar big data healthcare research initiatives have been launched.
For example, Google has partnered on a project dubbed "Nightingale" with St. Louis, Missouri-based Ascension Health, using the records of millions of patients.
That initiative drew early scrutiny of Congress, which questioned whether Google staff had access to patients' records without their knowledge or consent (see: Senators Demand More Info on Google's Nightingale Project).
Google also has separate predictive analytics and personalized healthcare projects with Mayo Clinic and the University of Chicago Medical Center.