Do We Need a Privacy Risk Paradigm Shift to Achieve the Goals of CalAIM?

As California shifts towards cross-sector collaboration under the sails of California Advancing Medi-Cal (CalAIM) there is an increasing need to share data between organizations subject to HIPAA (covered entities) and those that are not (what we refer to as non-covered entities or community-based organizations (CBOs)). For more than 20 years, health care providers have relied on privacy and security frameworks derived from the HIPAA Rules, which provide controls under three primary areas for safeguarding patient data: administrative, technical, and physical. Administrative controls generally encompass the training users would receive and the types of policies that would be implemented to control user access to patient data; technical controls manage the ability to authenticate, authorize, and audit user and system activity against internal misuse and external malicious actors; and physical controls involve the ability to secure patient records and information systems that contain patient data. However, one thing that health care organizations have always needed to manage is what the appropriate balance of these controls is — in other words, where is the greatest risk?

Currently, most health care data systems are managed via cloud-based software and solutions providers, which generally provide physical and technical security against external threats and distributes some risk away from the organization. Furthermore, organizations can attain additional certifications, such as HITRUST CSF, as required by either health care payors or organizational leadership. Security certifications are generally a third-party evaluation of your security measures according to industry standards and best practices. HITRUST CSF is one of the better-known types of security certifications, but with a particular focus in compliance to HIPAA requirements.

However, this outsourcing of physical and technical security leaves a potential gap: what about data access within a system, or more broadly, within a trusted network, such as a regional or local Health Information Exchange (HIE)? The fact remains that under HIPAA, despite these distributed networks and service providers, it is ultimately the responsibility of a given organization to determine who can access patient data, to what extent, and for what purpose. In health care systems and organizations, the ability to share patient data with other providers within the confines of HIPAA has traditionally been acceptable, as it was assumed the data could is relevant to patient care. This level of access may remove the need for layers of privacy controls for personal health information (PHI); however, what happens if you are a community-based organization, like a homeless shelter or food pantry? This is where a spectrum of philosophies emerge, and the cross-sector data sharing challenge begins.

Most health care privacy and security teams think in two dimensions of patient data: breach and misuse. A breach occurs when patient information is accessible to non-authorized users, whether by a malicious party or when a user with access to the information inadvertently releases it to a third party. These types of events have severe consequences (including fines) for organizations and can potentially threaten patients’ identities depending on the type of information released. On the other hand, misuse occurs when authorized users utilize patient information for unjustified purposes, such as looking up a colleague or celebrity. These types of events can be managed with proper training (administrative) and audit controls (technical). Privacy and security teams generally stop there, but aren’t there other risks, specifically to patient care?

Figure 1, Multidimensional Data Risk Assessment, proposes a different lens that organizations should look through when considering patient data risks. The proportions of the chart are not indicative of any empirical findings, but they could represent a real scenario for any community. By healthcare organizations deferring to strict access controls, particularly with CBOs, the focus is only on breach of patient data or misuse by CBO staff. However, there are several other risks that could have greater ramifications. What if a referral to an organization only included demographics for a patient contact? How can a CBO really determine eligibility, service needs, and priority without more information? This is a risk which impacts service enablement (i.e., not sharing information with a CBO that is necessary for efficient service enrollment and coordination). An additional risk to consider is patient endangerment, which can occur in several different types of scenarios, such as 1) when people are assigned as roommates in a housing development without considering potential behavioral health issues that may arise between the two, or 2) when medications prescribed by one provider might conflict with those prescribed by another (particularly if the patient did not indicate they were given prescriptions previously). A third major risk category arises in patient experience and the potential for consent fatigue and re-traumatization. For example, should a victim of domestic abuse or child neglect retell their story to several related organizations since they all have strict data privacy policies and do not share relevant information among each other?

Risk is generally the intersection of probability and loss. A breach can certainly be considered a high degree of loss, but often we do not consider the probability of this occurrence. What incentives do malicious parties have with cross-sector information versus web servers that house financial data? Some may offer that identity theft may be the objective, but these systems that contain safety net populations have data which fluctuates constantly, particularly addresses, making it a poor choice for someone trying to establish a fraudulent credit line or bank account. Furthermore, before electronic records, organizations had to trust employees were handling client paper records appropriately and with integrity. How did the onset of technical safeguards diminish this trust? Lastly, reflecting on Figure 1 and cross-sector collaboration involving both HIPAA-covered entities and CBOs, what has the greatest probability of occurring any day of the week:

  1. A hacker will breach a CBO system.
  2. A staff member will look up a client that is also a neighbor.
  3. A patient/client will have to fill out several intake forms with the same information between referring organizations due to strict privacy controls, delaying services while eligibility is confirmed.

Critics will continue to cite consent issues and staff misuse/mishandling of information (all valid concerns), along with unique organizational problems as a primary concern above some of the others I’ve mentioned. However, these problems often all resolve to the basic fact that a given organization tends to be most concerned about its own liability versus its patients’ needs. For CalAIM to be successful, we need an effective cross-sector data sharing model that puts patients/clients at the center and effectively mitigates their risks, otherwise, while there may be “no wrong door,” there certainly will be several an individual needs to walk through before receiving services.