Follow-up: HHS National Security Strategy

As a follow-up to my post yesterday about the US Department of Health and Human Services’ “National Health Security Strategy 2015-2018,” I’d like to respond to a few questions that arose surrounding the sources of data that would comprise a large, unified national health database.

At risk of running afoul of the admonition stamped on the PDF file to “Not Cite or Quote” the source document (I’m not sure how you can post something for public comment, and then ask people not to cite or quote it, if you truly want thoughtful input), I thought it would be helpful to look at a few of the specific items in the draft document that indicate the origins of this data that will make up this theoretical national health data repository.

The first question we might ask is, “Since the most useful data for a national database resides in the hands of private entities (e.g. health systems), how will the data get from there to a master database managed by DHHS?”

Let’s look at “Activity 3.2.1” from the draft document in order to get a glimpse at the vision here:

Activity 3.2.1: Federal partners will work with nonfederal partners to create a set of operational principles to inform decisions and resource allocation, set priorities, facilitate data access and sharing, consider meaningful use requirements, adopt standardization for IT and diagnostics, and ensure integration of animal and environmental surveillance data.

Meaningful Use is the operative word here – there are all sorts of hoops that health systems and providers are jumping through at present in order to qualify for federal incentive dollars related to the meaningful implementation and use of EHR systems.  Many organizations have already collected millions after attesting to “Stage 1” requirements, and as the requirements get more cumbersome those attesting at further stages are fewer.  But rest assured, when there are dollars at stake, business managers and CFOs across the country will find ways to comply with the demands of future attestation requirements in order to get those dollars.

Next, look at Activity 3.3.1 and 3.2.2, which further verify that the desired health database will consist of data that is currently in the hands of private industry.

Activity 3.3.1: Federal partners will identify and consider proprietary interests that may inhibit incorporation of private resources, including approaches for carefully controlled data sharing and maintaining confidentiality of information.

Recognizing the logistics of collecting and using data from multiple sources is the first step to making the centralized resource a reality, and then …

Activity 3.2.2: Federal partners will work with nonfederal partners to develop and disseminate data-use/data-sharing agreements to provide models that security, ethical constraints, data ownership and stewardship, and liability protections.

… we get a glimpse that DHHS recognizes the potential privacy implications of such a large scale collection of health data.

And finally, we circle back to “meaningful use” incentives (though not by name) when the document addresses the inherent problem of compliance and participation.

LINE 1286 To fill gaps in existing data sources, the workgroup will develop incentives for stakeholders to report data voluntarily, remove barriers to data collection, disseminate data reporting standards, and ensure data security and integrity.

Dangle the dollar signs out there, and watch the data flow in (with a constant eye toward security and integrity, of course).

Maybe, after all, having a centralized health data repository is a good thing for population health management, and even national security.

I think that there are certainly methodologies that could anonymously track diagnoses, symptoms and other key data points that could be used by the CDC and DHHS in the case of a medical crisis that would be far less sweeping than what is envisioned here.  Pull out the data points that you care about, anonymized appropriately, and if you need to symptoms back to patients (for instance), have a method in place to address this.

The easy thing to do, unfortunately (as seen in the case of the NSA) is to collect it all, and figure out what you will do with it later.  We already know that the massive NSA database was used by scorned lovers to dig up dirt on exes (a practice so common, it was termed LOVEINT by analysts in the agency).  How might a health database be similarly abused?  We can wait, and find out, or we can demand the integration of added layers of privacy from the start.  If the data is there, it will be abused – the question is to what extent, and by whom?

Get Peter's entrepreneurial manifesto, "Stop Climbing that Ladder, and Build Your Own!"

Just join his mailing list, and you'll get a link to download it - free!