pulled out manually—a time-consuming and painful process by today's standards. Assessments on that data were time-consuming and difficult. Now, with modern technology, they are much easier. But each system needs the data for different purposes. The insurance company needs to get all the requisition codes to analyze the data in a different way. A hospital needs to aggregate data from a host of different systems so that it has a more complete record. In the end, it is not about one aggregation, but many.
Many IoMT devices do not keep the data local to the hospital they are operating in. They send data to the cloud. This is not by accident. It has tremendous advantages for both the hospital and the device provider. Previously, a physical server needed to be installed and supported within the organization in order to maintain medical records. This created an extra burden for the IT staff and the hospital to support. Many things could go wrong—servers could go down, connectivity could be blocked, etc. There is also a maintenance overhead that comes with that extra device. The manufacturers of IoMT devices that depend on servers would need to support a patching process, provide tech support when the software components would go down, etc. This equals a lot of overhead that hospitals and manufacturers would like to avoid. Having a cloud service is a win-win for the providers because it reduces the technical overhead for IoMT and then provides an additional service that the manufacturer can charge for continually. Years ago, companies would sometimes forgo support to save time and money—a loss of revenue. It also helps the manufacturers because they can have more data to analyze and make their product better.
EHR systems are used to aggregate and access health records by hospitals, doctors, and other health providers. They are critical for the purpose of having centralized data. They also are moving to the cloud with many of the same advantages that are afforded to the IoMT cloud providers with similar benefits to the providers. The cloud, in short, helps to get companies out of the IT game (to an extent), allowing them to focus on what they do best—helping people.
Health insurance companies also need many of the same records that hospitals and doctor's offices require. They have to analyze the data and pay out claims, and they too are utilizing the cloud for many of the same reasons as other companies. Again, aggregation means diffusion of data.
With Health Information Exchanges (HIEs) we start to get into connections that not everyone is aware of. HIEs aggregate data within a Health Information Network. The goal of HIEs is to facilitate a faster, safer, and more efficient transfer of data than the previous way of having to walk or fax information over from one place to another. While typically they do not exchange information outside of their networks, they are known to connect to state or federal bodies to exchange information—yet another place where data interconnects.
There are additional grants built into the America Recovery and Reinvestment Act (ARRA) of 2009 for building Regional Health Information Organizations (RHIOs). The primary goal of RHIOs is to share health information within a region while following both state and local guidelines. Part of the overarching goal of RHIOs is to allow for the interconnection of medical information to a specific region. In some cases, they even share information with multiple regions.
The Center for Medicaid and Medicare Services (CMS) has the tremendous responsibility of overseeing patient data for several medically related federal programs. They do not necessarily collect the data themselves, though. Many of their programs are contracted out to third-party companies. When you connect into CMS web sites, these sites are often built on corporate networks.
All of these institutions that have medical information are the tip of the iceberg for where and how medical information is aggregated, stored, and exchanged. There are claims clearinghouses, labs, other types of information exchanges, data warehouses, other government entities, research institutions, service providers, biopharmaceutical agencies, aggregators, and so on. The potential location for data almost never stays within a single organization. It becomes part of an extremely rich interconnected ecosystem of partners.
So far, we have been exploring data strictly from a HIPAA perspective, but there is also data that looks like HIPAA data, but in reality, it is not.
Non-HIPAA Health Data?
Over the last decade, a number of new devices and applications have hit the market. These include everything from wearable devices that track physiological data to health and fitness applications designed to make you healthier. What is interesting is that many fitness devices are eerily similar to IoMT devices that collect many of the same types of data as IoMT—in many cases, using the same types of technology. By all considerations, many of the devices are collecting HIPAA-like data, but the data they collect is not considered HIPAA data because the data created is not by a covered entity. A covered entity, defined in the HIPAA rules, is a health plan, healthcare clearinghouse, or health provider. Covered entities are beholden to HIPAA and have strong privacy and cybersecurity requirements. Data from health devices, despite the similarity to health data, does not have the same privacy or cybersecurity requirements. Data from health and fitness applications oftentimes has a great deal of additional information about you such as where you are, where you have been, personal information such as your address, and so on. These “free” applications mean you give up information about yourself, which is healthcare-like information.
A challenge with many of the health applications on the market is that some of them are providing health advice without sufficient science behind them to back up the claims. Within iTune and Google Play stores, there are more than a hundred thousand health applications. There have been numerous fines against many of these companies, but given the relative ease of designing apps and getting downloads, it becomes an almost impossible task of keeping track of them all and determining which are legitimate and which are not. Making an unsubstantiated claim may ultimately harm some people. The FDA has made recommendations for companies or individuals who develop these applications, but not everyone follows those recommendations.
There are also a host of companies that focus on your family tree based on some personal information and your genetic information. Today, that information can tell a tremendous amount about you. While not all genetic tests are equal, generally speaking genetic testing can tell if you have a genetic predisposition for specific diseases. The FDA prevents these companies from doing any kind of diagnostics, however.8 What these companies do is reference key information against publicly available databases—some of which have incorrect information. In the end, from a disease standpoint, the tests only have a 40% efficacy rate.9
Like fitness devices and applications, genetic testing that is direct to consumers is not covered by HIPAA. In many cases, it is the same as HIPAA data, but because it is not coming from doctor or hospital, it isn't afforded the same protections. The data walks like a duck. It quacks like a duck. It is a duck, but it does not have the same security considerations as the other ducks because it did not come from a doctor or hospital.
It should be pointed out that just because the data is not HIPAA data, it does not mean that the data is not sensitive. That additional information like name, address, and phone number is sensitive information. It is considered personally identifiable information (PII). PII is essentially information that can help identify someone including Social Security numbers. In the United States, PII must be protected, but the protection requirements are much less stringent for PII than it is for Protected Health Information (PHI). PHI is the data that is protected under HIPAA. It includes PII, but also the information required under covered entities. In the cases of fitness devices, genetic ancestry testing (not performed under a covered entity) the data is PII but also has health data that is not governed by the HIPAA law. Oftentimes, that means that the data is less secure.
But the story of this non-HIPAA medical data does not end here.
Data Brokers
