California recently (2023) signed new privacy legislation, The Delete Act, that imposes regulations on “data brokers” that maintain consumers’ personal information. The law mandates that data brokers erase all information they hold on an individual upon request. While 12 states and increasing global regulations have similar data privacy laws giving residents the right to request their data be deleted, California’s new law is the toughest in the United States.
While the law primarily targets brokers that sell consumer data, the Delete Act and similar legislation will significantly affect the healthcare industry. Providers, payers, and health tech companies now have access to exponentially more data. Personally identifiable information (PII) and protected health information (PHI) must be handled in a manner that protects consumer privacy and complies with growing regulations. This is increasingly challenging as the amount of healthcare data generated proliferates.
When consumers exercise their right to delete data, healthcare organizations must have systems and processes in place to locate that individual’s information across all data stores and delete it promptly and thoroughly while safeguarding the integrity of their records. They must also verify that the data belongs to the person requesting deletion to avoid hefty regulatory penalties. However, as healthcare data swells, the risk of duplicate, inconsistent, or inaccurate person identity data increases across the healthcare ecosystem.
Preserving Data Integrity with Enterprise Master Person Index Solutions
Many healthcare organizations use Enterprise Master Person Index (EMPI) solutions to address these challenges. By acting as a central repository of identity information, EMPI solutions provide a consistent and accurate way to manage unique individuals’ information across disparate systems. They are a cornerstone for proper patient identification, data integrity, data quality, and interoperability.
Some EMPI solutions use “referential data” – any information used to make sense of other information – to augment existing healthcare data, often from systems such as third-party licensed credit reporting databases. Cross-referencing records from these various systems helps the EMPI make more accurate matches and perform database hygiene.
While it seems practical, the use of referential data is out of alignment with current trends toward stronger privacy regulations and more controlled use of collected data, like California’s stringent new law. The company that receives the deletion request – in healthcare, the hospital, health system, or technology vendor – does not own the referential data, making it near impossible to comply with these new regulations.
To effectively mitigate the challenges involved in managing data within an EMPI system, it is important for the system to prioritize the use of contextually relevant data. This can be done by favoring trusted data sources for a first match, using the organization’s own data as the primary source for matching records rather than referential data. To ensure that any remaining records are matched in a safe and future-proof manner, an EMPI system should introduce externally curated data sets in a managed way. However, keeping such curated data sets separate from owned data is best to maintain transparency, traceability, and compliance with relevant laws and regulations.
An EMPI system should assign each person a unique enterprise ID that remains with the record and is never repurposed. This enterprise ID should be traceable into the future to track data lineage and ensure compliance.
An EMPI solution that cannot demonstrate how reference data makes a match or enriches information creates risk, particularly in the event that the company supplying the credit data-based solution is acquired or loses access to its reference data contract. EMPI solutions that rely on referential data often can’t delete information upon request because they can’t trace it—making it out of compliance with relevant laws and regulations.
Conclusion
Regulations like the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), South Africa’s Protection of Personal Information Act (POPIA), and India’s Personal Data Protection Bill (PDPB) aim to give individuals more control over their personal data and how it’s collected and used. As data privacy regulations continue to expand worldwide, new complexities arise for healthcare IT technologies, such as those using referential data in EMPI solutions. Ensuring your EMPI solution uses transparent and traceable data to comply with privacy regulations is crucial to maintaining patient trust and avoiding potential legal issues.
To learn how to ensure your EMPI is compatible with growing data privacy regulations, contact Rhapsody.
For further reading:
