To realize the transformative potential of big data, health care providers and other stewards of patient information must implement effective data governance. The challenges are significant, however, especially for special categories of data such as protected health information and personally identifiable data. Providers must create an efficient process that concurrently addresses a number of complex privacy, cybersecurity, business, and legal considerations.
What’s the solution? The secret is excellence in the mundane: transparent processes and governance that enable more intensive oversight of partnerships when necessary, without creating an overly cumbersome bureaucracy for routine data sharing.
As artificial intelligence (AI) and related capabilities mature, providers face growing opportunities to create clinical, operational, and financial value by sharing patient data with innovative partners. For example, companies such as Flatiron, Tempus, and 23andme have created significant value by applying AI and analytics to patient data. To capture these opportunities, organizations are sharing data across a large number of vendors that provide services to improve patient care.
But these data-sharing arrangements have attracted increasing scrutiny from the public and regulators. Because regulators have imposed very strict standards, providers generally cannot share protected health information without a patient’s consent, although there are limited exceptions. A number of recent public controversies—relating to, for example, Ascension’s partnership with Google and Memorial Sloan Kettering’s engagement with an AI startup—illustrate the importance of implementing effective data governance and cybersecurity.
Strong governance is challenging for many reasons. Business leaders want to swiftly resolve oversight decisions in order to capitalize on the potential for fast-moving digital innovation, but providing adequate control across multiple organizational functions (such as privacy, cybersecurity, and legal) is complex. Moreover, organizations must develop processes that allow them to fairly assess the value data-sharing arrangements bring to potential partners and ensure that partners receive their appropriate share of that value.
The inability to manage data-sharing governance well can create a backlog of approval requests and long processing times. This results in frustration among business leaders seeking to share data and makes providers less attractive to potential innovation partners.
By capably governing their data sharing, providers can capture the value of data while mitigating the risk. Effective governance allows them to carefully consider data commercialization opportunities, ensure that the business arrangement aligns with their mission to promote community health, and engage with stakeholders in the community. At the same time, it enables compliance with all legal and regulatory requirements and minimizes cybersecurity risk. Successful partnerships between Intermountain and Amgen and Geisinger and Regeneron, for example, have delivered value to both organizations, and more importantly to their patients.
Although details can vary across providers, achieving effective data-sharing governance generally requires:
The key to an effective governance structure is balance. Structures that require senior-leadership involvement in all data-sharing decisions, even routine ones, create bottlenecks and incentives to circumvent the process. Conversely, structures that do not define clear escalation pathways increase risk exposure by failing to provide adequate oversight. Providers with effective governance structures use clear criteria, tied to risk level, to decide when to involve senior leaders.
Escalation to senior management should be triggered when a data-sharing request is accompanied by nonroutine levels of risk—such as when the data shared is more than the minimum necessary for the intended purpose. Other examples include data requests that involve:
An effective structure has multiple tiers of oversight. (See the exhibit.) Approval by the board or senior management (or both) should be required for rare, high-risk requests, such as large commercial arrangements with significant potential to bring public scrutiny (likely fewer than a handful per year). The vast majority of requests, with lower levels of risk, should be adjudicated by designated data-sharing governance bodies guided by clear policies that ensure appropriate speed.
The most important characteristic of a data-sharing governance process is efficiency. To effectively manage risk, providers should have a centralized process that provides visibility into all sharing that occurs across the organization. It is critical that this process be fully transparent and not become overly bureaucratic or cumbersome, especially for routine requests. The goal is to avoid delays that frustrate business owners who submit requests, which could lead to noncompliance. To hit target turnaround times, organizations need to ensure that the process has the appropriate resources, including dedicated employees and essential technology (described below). These investments will pay for themselves as providers capture greater value from their data.
Providers can foster efficiency by creating a streamlined intake procedure that quickly identifies the level of oversight required and improving coordination among the functions involved in evaluating requests (such as privacy, compliance, cybersecurity, IT, and legal). Additional efficiencies can be realized by maintaining a high level of communication and transparency with business owners on the status of their requests, including rapidly flagging outstanding information required to complete evaluations. A streamlined process also removes redundancies among functional evaluations—the goal is to ask each question only once.
In addition to implementing a clear decision-making and evaluation process, providers need to develop several supporting programs, including:
Building effective data-sharing governance requires more than well-designed structures and processes—investment in technology is critical to ensuring that the process runs smoothly. Digital tools are needed for consistent, timely, and secure data sharing. They can increase efficiency by enabling automation and helping to operationalize the workflow.
Key technology enablers include:
Recently available cloud technologies provide streamlined capabilities for establishing and enforcing data-sharing governance. These technologies provide long-term integrated solutions but require enterprise-wide cybersecurity and data protection policies that cover cloud data management models, as well as the ability to manage cloud infrastructure.
As technology transforms health care, providers must ensure that patient data is used safely and ethically. Effective data-sharing governance is essential for making this happen. The challenges are significant, including the need for sophisticated coordination across functions, investment in enabling tools, and grappling with ethical considerations at the leading edge of innovation. The first providers to overcome these challenges will be at the forefront of unlocking the potential of big data in health care.
ABOUT BOSTON CONSULTING GROUP
Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we work closely with clients to embrace a transformational approach aimed at benefiting all stakeholders—empowering organizations to grow, build sustainable competitive advantage, and drive positive societal impact.
Our diverse, global teams bring deep industry and functional expertise and a range of perspectives that question the status quo and spark change. BCG delivers solutions through leading-edge management consulting, technology and design, and corporate and digital ventures. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, fueled by the goal of helping our clients thrive and enabling them to make the world a better place.
© Boston Consulting Group 2023. All rights reserved.
For information or permission to reprint, please contact BCG at firstname.lastname@example.org. To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com. Follow Boston Consulting Group on Facebook and X (formerly Twitter).