Could Digital Rights Management Solve Healthcare’s Data Crisis?

Today, academic medicine and health policy research resemble the automobile industry of the early 20th century — a large number of small shops developing unique products at high cost with no one achieving significant economies of scale or scope.

Academics, medical centers, and innovators often work independently or in small groups, with unconnected health datasets that provide incomplete pictures of the health statuses and health care practices of Americans.

Health care data needs a “Henry Ford” moment to move from a realm of unconnected and unwieldy data to a world of connected and matched data with a common support for licensing, legal, and computing infrastructure. Physicians, researchers, and policymakers should be able to access linked databases of medical records, claims, vital statistics, surveys, and other demographic data.

To do this, the health care community must bring disparate health data together, maintaining the highest standards of security to protect confidential and sensitive data, and deal with the myriad legal issues associated with data acquisition, licensing, record matching, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Just as the Model-T revolutionized car production and, by extension, transit, the creation of smart health data enclaves will revolutionize care delivery, health policy, and health care research. We propose to facilitate these enclaves through a governance structure know as a digital rights manager (DRM).

The concept of a DRM is common in the entertainment (The American Society of Composers, Authors and Publishers or ASCAP would be an example) and legal industries.  If successful, DRMs would be a vital component of a data-enhanced health care industry.

Giving birth to change. The data enhanced health care industry is coming, but it needs a midwife.There has been explosive growth in the use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Outside the physician’s office, disease registries, medical associations, insurers, government agencies, and laboratories have also been gathering digital pieces of information on the health status, care regimes, and health care costs of Americans.

However, little to none of these data have been integrated, and most remain siloed within provider groups, health plans, or government offices.

In the past, technical and cost issues have restricted efforts to share and integrate health care datasets. However, advances in technology permit a bold vision of a new infrastructure involving shared access to big data, computing power, and analytic tools. The resources exist to access and analyze extremely large health data sets in the secure, HIPAA compliant, computing environments of data enclaves.

Data enclaves are a “secure computing environment, firewalled from outside intrusion, accessible only by authorized users, that allows for remote access to microdata where the inflow and outflow are controlled and monitored by either experienced confidentiality officers or by algorithms, whereby users have access to analytic tools and only those data they are licensed to use.”

The governance issues. What remain to be resolved is how to legally and administratively bring the data together:

  1. how multiple stakeholders will provide data under standard contribution agreements;
  2. how to link extremely large and multi-year files, match records across datasets, and provide statistical deidentification where necessary; and
  3. how to license these data to multiple researchers under standard use agreements.

As stated above, we suggest that these tasks be solved by a digital rights manager.

How the DRM will work. Data owners, such as provider groups, are reasonably concerned about unfettered access to data. Therefore, the DRM’s most important job will be to provide a low-cost, reliable, and technically and legally protective environment in which data owners are comfortable placing their data. The DRM will negotiate data contribution agreements with each data owner, and the DRM will grant access to data users consistent with these agreements.

Thus, a DRM will reduce the burden on potential data contributors giving them greater incentive to participate and share data by allowing them to deal with a single responsible party.

The DRM will also have a responsibility for fulfilling all the legal requirements that must be met—under HIPAA, state law, or otherwise—relative to the uses of the data. The DRM will also negotiate software-licensing agreements and arrange for commonly required intermediate value added services such as encrypted provider or individual identifiers or statistical de-identification.

To do so, the DRM will require specialized expertise in the HIPAA, statistical de-identification, and an enhanced institutional review board with an understanding of big data risks and opportunities.

Under this governance structure, health data owners who want to generate useful insights from their health data can do so securely. Their data, when shared, will be secure, their confidential information will remain protected, and they will not be burdened with administrative expenses associated with distribution, licensing, or oversight associated with their data.

In essence, all of these tasks can be efficiently contracted out to a common technology platform entity so as to reduce the burden on data owners, thereby making more likely that they will share their data. Thus, together, the DRM and the data enclave can transform health data into smart data (Figure 1).


Great benefits and manageable risks. The potential benefits of smart health data are great, but data must be actionable. To that end, the previously outlined governance structure removes barriers and creates new opportunities. For patients, the enclave will be an opportunity to receive better care from evidence-based practice and personalized medicine.

For physicians, more complete and accurate patient information will enable the delivery of better care. For health policy researchers and policymakers, linked data will allow for a better understanding of trends and the impacts of policy initiatives. As a result, the enclave offers an efficient setting in which to engage in comparative and cost effectiveness research.

Some may question the wisdom of hosting so much data. We believe that smart data enclaves will mitigate the risks to patients and providers. As a country, we are missing an opportunity to maximize the gains from the already expended effort to create EHRs and from nearly two decades of HIPAA compliant health data use. Entire generations of medical professionals and researchers are unfamiliar with administrative claims and registry data due to the absence of cost-reducing shared infrastructure.

The question should not be whether we should have a smart health data world, but how soon can we make it happen.

Newman, David, Herrera, Carolina, Frost, Amanda, Parente, Stephen. The Need For A Smart Approach To Big Health Care Data, Health Affairs Blog, 27 January 2014. Copyright ©2014 Health Affairs by Project HOPE – The People-to-People Health Foundation, Inc.

11 replies »

  1. The concept of digital rights management as a technology from dvd, cds, is not what is being proposed here — quite explicitly it is the introduction of a legal regime that makes holders of data more secure in the sharing of the data and a legal regime that makes gaining access to the data easier. Moreover, at the intermediate step, there are numerous value added components that can be introduced, such as matching across data, that reduce the cost to researchers wanting to use these data.

  2. This is just smart enough sounding to pass through the TCHB filters (which are usually quite good), but the ideas here are mostly bunk. The ideas here are valid to the degree that they are not specific and to the degree that they are specific they are not valid.

    What you are suggesting is something pretty similar to the “Health Data Bank” that floated for years… in that respect it is an interesting idea… and worthy of discussion.

    But you are referencing a technology stack with DRM that is universally regarded as a broken technology, which means that no reasonable technology strategy can be built on top of it.

    DRM makes it difficult for people with legitimate access to data to leverage that data. People who want to do naughty things like share DVD’s or illegally upload/download other peoples copyrighted music online just learn to work around DRM. So its basically missing for anyone with ill-intent and inconvenient for anyone who is honest.

    Most importantly DRM as a technology has no practical application in Health IT. If you have a successful DRM-based access to Lady Gaga’s latest signal then you can play it but not upload it to the Internet. If you had DRM-based access to Lady Gaga’s health record then you can see that she recently had gallstone surgery (or whatever) and then you know that and you can call the newspaper and tell them. DRM as a technology just does not apply.


  3. The perspective of a hurting person forced to seek the help of a physician doesn’t come through in this post. Just because technology enables mass universal surveillance does not mean we should rush to build the panopticon.

    Are we headed for one big enclave for everyone and everything on the planet or does each physician post on her door which enclave they will send the patient’s data to? Do I have a choice of enclave and can that be the only place where my personal data goes?

    Will access to the data in the enclave favor corporations over communities, licensed professionals vs. amateurs, domestic vs. foreign interests? Will it cost money to access the enclave? How much environmental and family data does the enclave collect along with my own medical data?

    The only scalable solution to healthcare’s data crisis is to empower individuals with convenient centralized identity and authorization management and a meaningful choice among competing centralized service providers. If DRM serves the individual first, fair and practical governance for research and public health uses will follow.

  4. This jargon still leaves many questions re patient privacy over their medical records: two quotes follow….one from J. Salwitz MD and the second from Randy Barnett law professor at Georgetown.
    “However, it is vital, as we pursue this technology, that we guarantee each person has control over his or her records. Patients must be able to determine who can and cannot see their E-Chart, whether it is other doctors, pharmacies, insurance companies or hospitals. They must decide which parts of the records are shared, as well as when and why. In much the same way we share our bank accounts, deciding who can withdraw funds (i.e. automatically paying your mortgage each month) or who can deposit dollars (i.e. electronic payroll deposits), as well as who can read your bank statement (or not), records must be under the tight control of patients.”

    Prof Barnett:
    “One thing that hasn’t happened yet….and I don’t know when it is going to….I hope it is soon….and that is the digital records….digital medical records…..means that the NSA isn’t going to have to monitor your cell phone or emails to figure out what illnesses we have. It is all going to be digitized and within reach….not encrypted….or not encrypted enough to prevent then from accessing it. So every doctor you have seen and every shrink you may have talked to is going to be something the federal government is going to have access to because of this mandated digitization. We haven’t got there yet. The public hasn’t focused….even the intelligentsia hasn’t focused on this yet.”
    Randy Barnett
    Comments January 7, 2014
    Randy E. Barnett is the Carmack Waterhouse Professor of Legal Theory at the Georgetown University Law Center

  5. I know each States (and regions within) HIE progress differs quite a bit. There are many HIE’s that are gaining critical mass in some regions. Could the DRM sit on top of the regional HIE infrastructure to support the country wide sharing? I do agree that it will probably take some kind of central governance to be effective…

  6. Digital rights management (DRM) is a class of technologies[1] that are used by hardware manufacturers, publishers, copyright holders, and individuals with the intent to control the use of digital content and devices after sale;[1][2][3] there are, however, many competing definitions.[4] With First-generation DRM software, the intent is to control copying; With Second-generation DRM, the intent is to control viewing, copying, printing and altering of works or devices. The term is also sometimes referred to as copy protection, copy prevention, and copy control, although the correctness of doing so is disputed.[5] DRM is a set of access control technologies.[6][7] Companies such as Amazon, AT&T, AOL, Apple Inc., Google,[8] BBC, Microsoft, Electronic Arts, Sony, and Valve Corporation use digital rights management. In 1998, the Digital Millennium Copyright Act (DMCA) was passed in the United States to impose criminal penalties on those who make available technologies whose primary purpose and function are to circumvent content protection technologies.[9]

    The use of digital rights management is not universally accepted. Some content providers claim that DRM is necessary to fight copyright infringement online and that it can help the copyright holder maintain artistic control[10] or ensure continued revenue streams.[11] Proponents argue that digital locks should be considered necessary to prevent “intellectual property” from being copied freely, just as physical locks are needed to prevent personal property from being stolen.[12] Those opposed to DRM contend there is no evidence that DRM helps prevent copyright infringement, arguing instead that it serves only to inconvenience legitimate customers, and that DRM helps big business stifle innovation and competition.[13] Furthermore, works can become permanently inaccessible if the DRM scheme changes or if the service is discontinued.[14]
    Digital locks placed in accordance with DRM policies can also restrict users from doing something perfectly legal, such as making backup copies of CDs or DVDs, lending materials out through a library, accessing works in the public domain, or using copyrighted materials for research and education under fair use laws.[12] The Electronic Frontier Foundation (EFF) and the FSF consider the use of DRM systems to be anti-competitive practice.[15][16]

  7. DRM is viable where there is broad federal and states’ consensus as to the “ownership” (and distribution of value) of “intellectual property.”

  8. Well, let’s put it this way: DRM seems to have worked fairly well for content, my confusion over the finer points of managing my digital music collection notwithstanding ..