What the Facebook Scandal Can Teach Us About Health Data Privacy

They say you learn more from your failures than successes. If that’s true, the health care industry owes a heavy debt to Mark Zuckerberg.

Many of us have come to accept the harvesting of personal information as a given. But the Facebook-Cambridge Analytica scandal highlighted the ramifications of information being shared without our consent.

These weren’t limited to Facebook’s massive valuation drop, congressional hearings or media fervor. The consequences were far greater – an erosion of public trust.

Is health care headed for the same cliff?

Yes. Only this time, it could be worse.

The health care industry is going through a profound transformation as the payment model moves from fee-for-service to value-based care. The “value” means that health care’s current $3 trillion annual price tag will increasingly be paid based on quality and outcomes, not the quantity of services.

Here’s the rub: 60 percent of health is gained (and lost) outside the health care system. For an outcomes-based model to work, we have to solve upstream conditions like food, transportation, housing and financial insecurities. Unsolved, these “social determinants of health” end up in the emergency room as readmissions and spiraling costs.

Across the country, health care providers and community-based organizations are beginning to work together to tackle social determinants of health. This new kind of collaboration requires unifying clinical and social data into a cohesive record of a patients’ actual lived experience during the vast majority of time they are not interacting with the health system. Take a recent heart attack patient, for example. It’s not enough to know this person’s weight, diabetic A1C score and blood pressure. We also need to ensure they have a ride to their cardiologist appointment and money to buy prescriptions.

This sharing of clinical and social information is necessary for successful alliances to participate in value-based care. But it also begs the question: what information can – and more importantly, should – they share? Does the food bank need to know someone’s spouse has HIV? Of course not. But what about a community-based organization letting a physician know her patient’s prescriptions were too expensive to fill? Absolutely.

The Health Insurance Portability and Accountability Act does not solve this safe-sharing problem. This federal law only applies to “covered” health entities such as hospitals and providers. There are also many other state and federal sharing laws that go far beyond HIPAA that dictate the types of personal information that can be shared, to whom, and for what purpose.

Which brings us back to Zuckerberg.

The consequences of mishandling or inappropriately sharing sensitive information are much worse than a website selling your preference for corn flakes to a third party. This information is as confidential as it gets. We must get this right.

Can we solve this complicated problem?

Turns out: Yes. And like most choices in life, there’s an “easy” solution and a “right” solution.

The easy solution is to collaborate in protected silos by sending simple “closed-loop” referrals. This has two problems. First, these systems focus on one issue at a time. But social determinants of health rarely happen in isolation. If someone needs a ride to an appointment, chances are they need help buying medications. To that end, these platforms fail to provide a holistic, shared view of the person’s circumstances.

Second, because this approach doesn’t monitor people across collaborators, you can’t know if upstream solutions created downstream outcomes. No outcomes, no value-based care.

For the past eight years, we’ve focused on finding the “right” solution. What has emerged is the first privacy framework of its kind that allows communities to safely share clinical and social information over time. Once a person gives consent on the software that hosts this collaborative network, our permission-based rules engine controls what information can be shared, when, to whom, and for what purpose.

Now, accountable networks of community-based organizations, health care providers, agencies and health plans are able to work collaboratively and compliantly. These shared longitudinal records provide a full picture of each individual’s whole-health needs, their social care plans and outcomes. The records stay with people over time, across care settings and health coverage.

Across the country, this new privacy model is promoting whole-person care for the vulnerable, improving outcomes and lowering cost. In San Antonio, Texas, for example, the area’s largest hospital systems, the mental health department, a homeless center, EMS, law enforcement and community-based organizations are coordinating social needs for a crisis population at the intersection of mental health and homelessness. The outcomes are dramatic, with savings in the thousands for each successful encounter.

As more collaborative networks spring up across the country, their results will continue to prove the value of safe and compliant information sharing between and among caregivers as a requirement for successful value-based care.

Mark Zuckerberg taught us not only the power of sharing, but also the danger of not thoughtfully protecting the owners of the data – the people. To ensure the public’s continued trust and to fully realize the dividends of the digital age privacy must come first.

Jamo Rubin, M.D., is president of Signify Community, a Social Determinants of Health platform that combines nationwide networks of clinical and social service providers, and is part of Signify Health, a health services company that uses technology to organize the financing and delivery of care around individuals to cater to patients’ clinical, behavioral and social needs.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult