Given the surging volume of personal health information (PHI) and other sensitive data from electronic health records, medical imaging, payer records, and medical devices, healthcare organizations are arguably in the data business today as much as they’re in the business of caring for patients. Data not only helps healthcare organizations deliver better patient care, but it’s a core asset to meet other business imperatives, including streamlining processes and lowering costs.
Healthcare organizations have typically taken a binary approach to PHI access: users either have everything or nothing. This approach is both unnecessary and risky in today’s heightened regulatory climate, particularly given the surge in data breaches.
Today’s challenge for healthcare is to manage PHI in a way that both assures patient information remains protected and gives the right users the access they need to achieve clinical and operational excellence.
All of this is causing healthcare organizations to rethink their data and privacy strategies. Because breach penalties are assessed based on the number of records that have been compromised, organizations are motivated to implement levels of access control, so that if a breach does occur, liability and financial risks are reduced.
Most breaches are the result of human error, intentional or not. This makes the issue of who has access to data particularly critical. Very few people in a healthcare organization need access to every piece of PHI. Clinicians need access based on the type of patients they’d reasonably encounter: for instance, an emergency department physician might need broader access to an organization’s PHI than a researcher. For business users, their access to sensitive data should be based on their operational function.
There are several challenges to putting data access controls in place: first and foremost, understanding what data a healthcare organization has. Most don’t have a good inventory of systems, sources and which data is even considered part of PHI.
Conducting that data inventory is a key first step for healthcare organizations. Another is spending the time to properly classify data. For instance, is a piece of PHI data care-related? Is it patient demographic data that may be relevant for marketing and other business functions?
This is where automated data governance plays a critical role as the foundation for a mature data management strategy that helps keep sensitive data protected while still supporting clinical and business needs.
For instance, one large California health system is relying on automated data governance to ensure access to sensitive data stays in the hands of only the appropriate users – while still allowing the flexibility to grant access to new users in a timely yet compliant way. This organization’s integrated data catalog and governance platform allow users to make service level requests for data access to the compliance group and get approval within a 24-hour period. The platform also lets this organization apply specific time limits on data access as a mechanism to re-evaluate and manage access on a periodic basis.
Here are three strategies healthcare organizations should employ as they take steps to be both good data guardians and allow the proper access to information that clinical and business users need to draw data-driven insights:
1. Conduct an inventory what you have
The first step in better managing data is to understand what you have. This is no small feat. A data catalog that is closely integrated with an automated governance platform serves as a centralized inventory of data across the business, allowing users to find, understand and trust data.
2. Put in a place a flexible, governed set of use policies
Define policies about who within the organization will have access to particular information to ensure compliance and protection of PHI and other sensitive data. This is a group effort typically led by compliance, but with participation from IT and business owners to collectively understand the organizational need.
3. Implement systems and processes to allow for ad hoc access to PHI at a rate that fits the organizational need
Healthcare companies need to protect PHI while still offering flexible access. An automated data governance platform allows potential data consumers to request access to specific data sets, with the protections of automated systems like workflows and policy management in place to help quickly track approvals in a meaningful way.
Organizations are increasingly taking a more measured and mature approach to their data management strategies, including turning to automation to make these changes sustainable. By stepping away from an “all or nothing” approach to data access to one that empowers clinical and business leaders to access only what they need to make the best decisions, hospitals can both allow users to do their jobs and act in the patient’s best interest to manage access to sensitive data.
Chris Cooper is the healthcare principal at data governance and catalog software provider, Collibra.
