MIT CDoIQ Symposium 2020: Doing More With Data

July 2020

Introduction

In healthcare, data is both a vital resource and a profound responsibility. Each prescription filled, procedure performed, or diagnosis recorded generates information that, if aggregated and responsibly shared, has the power to improve outcomes across the healthcare system. Yet, ensuring this data is handled in a way that respects patient privacy, meets regulatory requirements, and enables innovation is no small task.

I was honored to be invited to present during Privacy Analytics’ From Aspiration to Inspiration: Stories from Real Life Data Privacy Heroes at the MIT CDOIQ Symposium. My story highlights how the healthcare services industry—drawing on experiences I’ve had at the enterprise level—has evolved in building data privacy programs that balance compliance, trust, and innovation.

This case study is not about one company, but about broader lessons learned across the healthcare ecosystem as organizations grapple with the opportunities and challenges of deidentified data.

The Context: Healthcare Data and the Balancing Act

The healthcare services industry sits at the crossroads of multiple stakeholders: patients, providers, pharmacies, pharmaceutical companies, and payors. Each plays a critical role in the delivery of care, and each has an interest in the data generated through these services.

The Health Insurance Portability and Accountability Act (HIPAA) provides a framework that allows health data to be deidentified and used for secondary purposes—so long as this usage aligns with customer-granted data rights. Deidentification programs are therefore foundational to ensuring that data can support the broader healthcare delivery value chain.

But here lies the challenge: companies must balance the potential value of aggregated insights with the privacy rights of individuals and the obligations to multiple parties. As regulatory frameworks advance and stakeholder expectations grow, success requires both strong compliance guardrails and a culture of trust.

The Market for Deidentified Data Applications

Deidentified health data exchanges enable valuable services across the ecosystem. They help manufacturers manage operations more effectively, inform investment decisions, and enable cost-efficient care delivery. Covered entities increasingly see value in these programs when they are underpinned by transparency and robust compliance practices.

At the same time, the market is shifting in several important ways:

New participants are emerging. Where once a handful of data aggregators dominated, today more niche providers are entering the market.
Demand for granularity is increasing. Stakeholders want richer data to power advanced models.
Broader linkages are being pursued. Participants seek to combine deidentified PHI with other relevant data sources, such as technology usage, lifestyle patterns, media consumption, and social determinants of health.

Pharmacy data offers a clear illustration. The uses of pharmacy deidentified data have expanded well beyond traditional aggregators to include health economics research, real-world patient behavior profiling, and payor-manufacturer quality programs. Specialty medications add another layer of complexity, as limited distribution networks require careful coordination between pharmacies and manufacturers while ensuring that patient tracking remains deidentified.

Similarly, payors are implementing care models that balance risk and incentivize providers for quality care. These models depend on new backbones of information exchange, often facilitated by deidentified datasets. Each innovation delivers real value, but also introduces new risks that must be identified and mitigated.

The Internal Value of Deidentified Data

Deidentified data isn’t just valuable in external exchanges—it also delivers important internal benefits for large organizations.

First, it enables the development of curated internal datasets. By investing the effort upfront to create robust deidentified resources, companies can accelerate deployment of data for new use cases. Each subsequent application is still subject to review and approval, but starting with a deidentified baseline reduces the need to reinvent the wheel each time.

Second, deidentified data helps reduce both risks and costs associated with internal data exchanges. Even when data rights allow for PHI sharing, organizations may choose to deidentify data before exchange. This reduces the volume of high-priority PHI applications, lowering compliance burdens while still meeting business needs.

In short, deidentification is not simply a regulatory checkbox. It is a proactive strategy for enabling safe, efficient, and innovative data use at scale.

Key Success Factors for Privacy-Driven Data Programs

Whether dealing with PHI or deidentified data, success hinges on a common set of principles and practices. Based on industry experience, the following factors stand out:

Build a strong backbone of privacy and compliance. Establish a culture of quality where data rights, standards, and responsibilities are deeply ingrained.
Invest early in data rights tracking and documentation. It is far easier to establish clear records and catalogs from the start than to retroactively untangle a web of contracts and obligations.
Deploy process tools to reduce friction. Automating compliance workflows—using platforms such as JIRA or Salesforce—helps streamline approvals, track data rights, and monitor risk in real time.
Adopt nimble data management and sharing tools. As standards for data delivery evolve, organizations must embrace flexible platforms while embedding guardrails to ensure compliance.
Trust but verify. Even with deidentification and encryption, ongoing verification is essential. Programs should include pre-filtering, third-party risk management, and “Privacy by Design” principles to maintain trust across the data lifecycle.

Conclusion

The story of deidentified data in healthcare is one of both opportunity and responsibility. When managed effectively, it empowers organizations to improve care delivery, enable innovation, and support stakeholders across the ecosystem. But realizing this value requires deliberate investment in privacy, compliance, and culture.

As the healthcare landscape evolves—with new entrants, richer data demands, and emerging risk models—the importance of balancing aspiration with operational rigor has never been greater.

In sharing this case study, my goal is to inspire confidence that privacy and innovation are not opposing forces. With thoughtful strategies and strong foundations, we can deliver on the promise of healthcare data while upholding the trust that patients, providers, and partners place in us.