Patient Privacy and Data Security in Clinical Research

By Harte Nielson

|

September 22, 2022

Clinical Researcher examines patient data

Imagine, as a doctor a century ago, trying to diagnose a patient presenting themselves with an illness. None of the symptoms are familiar. It’s like nothing you have seen before and there’s no one to turn to. As a small regional doctor, your only hope is a hospital, potentially one quite far away. Even at that hospital, medical information is sparse and only the most common illnesses and diseases are recognizable. With both limited information and limited population from which to observe, the relative isolation and lack of data means treatments are trial and error and, often, there is no treatment, only documentation in hopes that it will help someone else at another time.

Then, medical journals made their debut at the turn of the 19th century. But, with quarterly publication, it was difficult to get a hold of them and, even then, information was limited, and not often updated. All of this is to say, it’s not until the modern medical era that we see medical data really start to help doctors connect the dots and get a more complete picture of patient conditions and treatment options. It’s easy to see how the availability of data and data collaboration changed the face of medicine, from exam rooms to clinical research.

As technology continues to evolve, so does the ability to gather and share healthcare data. The latest in this evolution is the introduction of electronic health records (EHR). When EHR systems became a reality, there was, rightfully, a lot of hope about what was just beyond the horizon. And while the implementation of EHR systems has certainly made massive strides in connecting important healthcare information, there are still improvements to be made. Take formatting, for example. While FHIR is an advancement that has been able to help streamline the formatting of healthcare data across EHR systems and make connections much easier, there’s still opportunity to better safeguard the data while making these connections. Again, we find ourselves at a moment of potential evolution, where data sharing mechanisms can address the vital need for increased patient privacy.

What is Patient Privacy and Why is it Important?

Patient privacy is about more than closed doors in doctor’s offices or properly fitting hospital gowns, though that’s certainly included. Beyond physical privacy in doctors’ offices and hospitals, patient privacy also encompasses:

            • Data and health information privacy
            • Privacy about medical decisions and treatment
            • Privacy when it comes to personal relationships that may play into healthcare and healthcare choices (family, partners, spouses)

While HIPAA compliance and other legal concerns are probably top-of-mind when it comes to the importance of patient privacy, there are other factors to consider as well. For example, some private health information, including medical diagnoses, medications, or treatments, may impact patients outside the healthcare space. Whether in the workplace or in their personal relationships, a patient’s healthcare data being kept private ensures they are not discriminated against due to their medical history or diagnoses.

No matter the reason, a patient’s health information is theirs alone to disclose to others, if and when they choose to. The ability to keep that data secure, and the value of creating a space where a patient is guaranteed privacy is what helps build the kind of trusting relationship between doctor and patient that improves care.

How Data Security Maintains Patient Privacy

HIPAA laws require a minimum standard of data security to ensure the privacy of protected health information (PHI). When it comes to storage, these data security measures are typically layered, offering a line of defense at every stage of attempted access. That means using security mechanisms such as:

            • Physical security in the form of secure server rooms with controlled access
            • Firewalls to prevent network access
            • Mail filters and anti-virus protection 
            • Data access control and intrusion detection to safeguard internal access
            • Encryption on both email, stored data, and data in transit
            • Regular intrusion detection, patch updates, backups, and audits
            • A tested and strong disaster recovery plan

All of these efforts are designed to stop unauthorized access of PHI by both internal and external threats or acts of negligence that may result in data loss or leakage.

However, while in transit, PHI and EHR aren’t currently as secure as many assume them to be. In fact, data sharing methods used most commonly by healthcare organizations still have a surprising number of vulnerabilities – putting data at risk of being breached, and organizations at risk of hefty fines. Even with protective measures like encryption and tokenization, PHI can still be reidentified. Pseudonymization, or tokenization, is definitely a best practice to be leveraged, since de-identifying data is a great, added layer of protection for securing data. However, it is still vulnerable to re-identification given additional information and persistent hackers. In addition, most common data-sharing methods require healthcare organizations to relinquish control of their data, relying on a false sense of security through de-identification. But, as this data is sent through a third party, it increases the risk of re-identification.

Patient 360

With elevated data security mechanisms in place however, researchers and physicians can share a full view of their individual patients without exposing their personal information. As a result, tailored treatments can be identified and more data can be gathered to assist patients with similar demographics, genetic makeup, and symptoms. When data gathered from all points of an individual’s care journey are easily accessible, it not only makes the treatment received more individualized, but can identify care gaps, reduce medical errors, and improve health outcomes. This is all thanks to continued advancements in data sharing technology.

Patient Data Used for Clinical Research
How Improvements in Data Security and Patient Privacy Can Impact Clinical Research

Technological advancements to improve the security of healthcare data sharing can have a huge impact on the field of clinical research, too. When it comes to conducting research and clinical trials for treatments or drugs, one of the most important elements is participation. Data security and patient privacy are essential elements for participation. Why? Not only does patient privacy foster the kind of trust-building that encourages participation, but advancements in data security can improve and increase participation by removing barriers including geography and the cost to travel to these trial locations, instead allowing participants to be involved from anywhere more securely.

Decentralized Trials

Take decentralized trials, for example. Currently, most clinical research and clinical trials recruit participants from within a geographical region, which limits the research population. While travel is possible, it’s costly, especially in a trial or research phase when monitoring is essential. Therefore, one of the biggest impacts on research will be the ability to conduct decentralized trials.

According to Pew Research, around 21% of Americans currently wear a fitness or health tracking watch, with more adults expected to join the ranks in the next few years. Mass adoption of wearable technology that tracks both fitness and health means doctors and researchers won’t be limited by geography when seeking research participants. 

The complication, however, is how to transmit that data in a way that maintains patient privacy and data integrity. Elevated data security, like cryptoidentity with orchestrated triple-blind facilitation, means the data can be gathered in decentralized locations and shared with the primary research facility – all in a way that adheres to HIPAA regulations and maintains data security and privacy.

One of the other major boons to clinical research is the ability to gather and access detailed information about individual patients without compromising identity. Currently, data used for clinical research is frequently aggregated to protect individual identities due to the risk of PII being reidentified. Therefore, the data being used is ultimately less precise and thus less effective. But elevated and enhanced data security and connectivity has the potential to reshape the way research is conducted. Instead of just assisting in the care of individual patients, it opens the door to advance large-scale clinical research and in a way that revolutionizes medicine.

How Cryptoidentity Will Change Data Security

There is significant potential for an elevated data security mechanism like cryptoidentity to finally usher in healthcare’s digital transformation. Current methods of ensuring the security of healthcare data limit what data doctors and researchers have access to and how that data can be used, showing that there’s room still for more improvement.

With Karlsgate’s cryptoidentity and triple-blind facilitation, however, the game changes. Not only does it remove the risk that third-party facilitators can decrypt or reidentify data, but they can’t reuse it either. Cryptoidentity and its zero-trust sharing mechanism ensure that the owners of patient data retain ownership, further improving both the security and integrity of their data.

In short, Karlsgate’s technology provides healthcare organizations the ability to share detailed and accurate healthcare data, solving for processing and standardization issues, all without breaking HIPAA compliance or  exposing PII. If you’re ready to advance your healthcare organization or your clinical research in a way that encourages and expands participation and improves outcomes, reach out to the Karlsgate team today for a demo. We’re ready to help you and your patients move into the future.