More understanding of the privacy and security issues surrounding big data is needed to advance a learning healthcare system, according to the Health IT Policy Committee’s Privacy & Security Work Group.

Stanley Crosley, of Drinker Biddle & Reath law firm and co-chair of the group, presented the work group’s recommendations to the committee during its Aug. 11 meeting.

The group encourages the Office of the National Coordinator for Health IT (ONC) and other federal stakeholders to hold more public inquiries to increase understanding. “There is a lot of conversation around privacy but understanding much of the harm we’re trying to prevent still remains elusive,” Crosley said. “It would benefit policymakers to know more about the harms consumers are concerned about and make sure they’re taking steps to address those harms.”

The work group also is pushing voluntary codes of conduct, Crosley said, but they have to be credible and include transparency and accountability. “Along with that, we believe this will only work if there is good dialogue between the [Department of Health and Human Services], the FTC and other federal regulatory groups and other stakeholders developing these codes as they quickly establish the rules of the road.”

In its report, the work group also added consideration of the use of community risk assessment review boards as part of process, Crosley said. “We see that as a potential way to improve a code of conduct that may not in itself be strenuous enough.

“We want to promote the responsible reuse of data and contribute to generalizable knowledge.”

The work group was adamant about individuals’ right to access their data--even if they are never used. “It’s a very important right an individual should have,” he said. Their recommendations include protection of data that moves outside of entities covered by HIPAA.

The landscape is very complex with data moving from the HIPAA to the non-HIPAA environment and the interoperability necessary to achieve all the advantages of big data, Crosley said. “We’re on a continuing quest to educate consumers about the actual limits of legal protection and the best protections to protect the privacy and security of health information.”

Recommendations also covered improving trust and reducing the risk of reidentification, which was a “significant undertaking by the work group,” he added. “We were trying to understand what has occurred before, looking to other activities and incorporating as much as possible. The recommendations come down very strongly on the Office of Civil Rights needing to be a more active steward of the HIPAA deidentification standards.” That includes ongoing review of methodology, input from third-party experts and updating methodologies and policies. “It’s going to be a very vibrant, fluid environment. For the regulations to be meaningful both in robustness and in the ability to utilize data, the OCR needs to be an active steward.”

The work group supports the secure use of data for a learning health environment and voluntary codes of conduct to address robust security provisions. “Baseline security is really the table stake to utilize health information whether inside the HIPAA environment or outside.” Rather than legislation, Crosley said the work group prefers voluntary codes of conduct coupled with education of stakeholders about cybersecurity improvement and incentives for the use of privacy-enhancing technologies.

The committee approved the work group’s recommendations.