Community Brain Trust | 3/12/24

Healthcare data privacy, digital innovation consultancies, KPIs for data engineering, and more!


In case you missed them, here are highlights of a few interesting conversations from different channels:

Threads included below:

  1. Navigating Healthcare Data Privacy and Vendor Relationships

  2. Revolutionizing Healthcare Integration with Retrohook

  3. Recommendations for Consulting Firms in Digital Innovation Strategy

  4. Challenges of Accessing Clinical Data from Another Vendor for Hospitals

  5. KPIs for Measuring Data Engineering Effectiveness

1. Navigating Healthcare Data Privacy and Vendor Relationships

Q: Curious if there are any repercussions related to healthcare data as I see this often (e.g. one of Change Healthcare’s main asset of interest to United was ability to use majority of transaction data for analytics) in data analytics and processing vendors.

If PHI is obtained via legal means via data processing vendors under BAA but after the contract with the client ends, doesn’t it technically violate HIPAA since it is being accessed by another party.

If an analyst runs a query on data no longer under BAA and analyst is no longer a covered entity. Isn’t this a massive breach? I feel this happens in the wild wild west arena of real world data and AI ML vendors who aren’t upfront about where they obtain the data.
– Jung Hoon Son M.D. | via #topic-policy-regulation-legal

Thread Summary: In a thought-provoking discussion, members delve into the complexities of healthcare data privacy when working with data processing vendors. The conversation touches on issues such as data rights post-contract, data destruction requirements, deidentification of data, legal mechanisms for pursuing data deletion, and the implications of breaches on HIPAA compliance. Valuable insights are shared regarding the nuances of Business Associate Agreements (BAAs) and the importance of understanding and upholding data privacy regulations in vendor relationships.

Top Response:

Mark Olschesky: Most BAAs indicate that you lose data rights once the agreement terms and may require certain guarantees in certification of data destruction.

But to your point, some vendors may be less than ethical about that deletion when not required.

You'd have to review the specific terms of the BAA. The HHS one has some wording on it like this which is pretty standard:

D. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by

Business Associate will be returned to Covered Entity or destroyed by Business Associate.

Business Associate will not retain any copies of such information. This provision will apply to PHI

in the possession of Business Associate's agents and subcontractors. If return or destruction of

the PHI is not feasible, in Business Associate's reasonable judgment, Business Associate will

furnish Covered Entity with notification, in writing, of the conditions that make return or

destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the

PHI is infeasible, Business Associate will extend the protections of this BAA to such information

for as long as Business Associate retains such information and will limit further uses and

disclosures to those purposes that make the return or destruction of the information not

feasible. The Parties understand that this Section 14.D. will survive any termination of this BAA.

The data might not need to be deleted so long as the business associate agrees to use the data per HIPAA (which, since they are no longer providing the services should never need to access identifiable data anymore) So, if that wasn't followed the BAA generally indicates that the BAA would be terminated and that the covered entity (or business associate to their subcontractor) would report them to HHS. To your point, if that would be bad optics it would be bad optics but technically speaking if there is a breach it has to be reported to HHS regardless.

To Michael's point, if the data is de-identified and the business associate retained data rights to de-id'd data upon BAA termination then they have that and nothing can be done about it.

If you wanted 2800 words on HIPAA, here you go: [Link to article]

2. Revolutionizing Healthcare Integration with Retrohook

Q: Thread: HealthCare Integration Engine discussion

We are trying to solved eCW integration and trying to figure out a more seamless solution to Pull and push. Anyone has any insight in using the following platform would be greatly appreciated

If anyone has any other recommendations please free to DM me
– Junaid Kaila | via #buildersask

Thread Summary: In a discussion on the HealthCare Integration Engine, members explore solutions for seamless eCW integration. Dave Boerner suggests FHIR for bidirectional needs or HL7v2 for data streams, while Anthony Leon praises Mirth for its open-source affordability despite a steep learning curve. Clint introduces Retrohook, a user-friendly tool with no code requirements, ideal for healthcare integration. Excitement builds as members plan to test Retrohook for eCW integration, anticipating a game-changing experience.

Top Response:

Anthony Leon: ECW and seamless integration are rarely in the same sentence 🙂 It has a reputation for a reason. If some of these newer orgs can do it, bi-directionally and at a low cost with no / low code / minimal effort, that's game changing and a welcome breath of fresh air. The legacy ones like Mirth, Rhapsody, etc have moved to more managed services to help make things "seamless" but that's just them doing the manual work vs your team.

I'm a bias fan of Mirth because that's where I started my interop career and the price point for open source is nice, but it definitely has a steep learning curve. Funny enough, quite a few interop companies use Mirth behind the scenes to plug holes in the product and others built layers on top of Mirth to automate things.

You peaked my curiosity on retrohook as I'm not familiar with them, but if you end up going that route, would enjoy your feedback.

3. Recommendations for Consulting Firms in Digital Innovation Strategy

Q: I work for a health system. I'm interested in engaging a consulting firm to help us put together a strategy for digital innovation. Any recommendations? I'd appreciate specific contact person/contact information. TIA for your help!
– Anonymous Bot | via #random

Thread Summary: Members in the HTN community shared valuable recommendations for consulting firms specializing in digital innovation strategy for health systems. The thread includes suggestions such as SG2, Franklin Advisory, Rock Health Advisory, Oliver Wyman, Panda Health, AVIA, and HealthAdvances. Members offered to make introductions, share contact information, and provide insights based on their experiences, showcasing the collaborative and supportive nature of the community.

Top Response:

Sarah Cohen: Agree it depends on budget and scope. Oliver Wyman is a larger firm working with lots of major systems and does a lot of tracking around digital health co’s (if HTN doesn’t have enough of those for you) through their Innovation Center. They’re a good option to consider if you have a flexible budget and are interested in support on both strategy + rollout. Example here of some of their content.

Disclosure: used to work there so slightly biased. Can make an intro if interested.

4. Challenges of Accessing Clinical Data from Another Vendor for Hospitals

Q: Please please dumb it down for me - if a hospital wants to use my product and my product relies on clinical data from another vendor the pays for, how hard will it be to get those data? I generally understand things like Epic fees, the limited technical resources at hospitals. But what’s the real challenge I’m missing?
– Anonymous Bot | via #buildersask

Thread Summary: Members delved into the complexities of accessing clinical data from another vendor for hospitals. The conversation highlighted the challenges of building business relationships to share PHI, prioritizing integration resources, and implementing technical workflows. Members shared insights on leveraging sanctioned interfaces for data integrity, navigating IT pressures in healthcare institutions, and the importance of detailed data specifications. The thread also offered resources for further reading on data integration strategies.

Top Response:

Pryce Ancona: This is a really good primer on deciding how you want to access the data from a technical perspective: [Link to article]

Will you leverage interfaces or APIs that are explicitly built by the software vendor to communicate from database to external system? Will you use RPA to rip whatever you can out of a user interface? Will you go direct to database and crawl over all of the tables to aggregate the data you need?

I'd recommend using sanctioned interfaces because they are the safest and offer the highest integrity of data, but then you basically take your hypothetical data acquisition possibilities and narrow them down significantly to "whatever the system makes available, whenever it makes it available, however it makes it available"

to avoid typing about this forever and getting nowhere, I'll stop and say that I think the real challenges are, in order:

1. Building a business relationship where all parties involved are willing to share PHI

a. This could be a BAA or it could be under the pretense that everyone is a covered entity, such as the case is with Carequality

2. Getting the various systems to prioritize integration implementation resources, if required

3. Implementing the technical workflow

a. This mostly gets challenging because you may have to straddle standards, communication methods, authentication types, etc.

5. KPIs for Measuring Data Engineering Effectiveness

Q: What specific metrics do you use to track data engineering effectiveness?

I’m embarrassed to say that we have plenty of KPIs to measure sprint velocity, but we’re only just starting to measure WHAT we work on and how valuable it is to the org.
– Brian Sage | via #buildersask

Thread Summary: The Nerds discuss ideas and best practices for establishing KPI metrics to measure what a data engineering team works on and how that work impacts the broader organization.

Top Response:

Andrew McFarland: It will depend on if these metrics are for tech or business stakeholders, but two very board metric categories I have used:

1. Time-based measurements

a) e.g. By building X dashboards/reports for customer success, we cut our average resolution time by Y%

b) e.g. By implementing data governance standards throughout the data pipeline, we reduced our average data cleaning efforts by Y story points per sprint

2. Cost-based measurements

a) e.g. Switching from full data loads to incremental has cut our cloud costs by $Y per month

I tried to keep the examples directly related to DE. However, if you are at a data-driven org or sell data products, you can also measure DE value via downstream items such as product analytic insights (e.g. our data suggests nobody uses X in our product, we should cut it), ML/AI predictive accuracy (bad data in, bad predictions out), etc


If you have your own question(s) to ask, don’t forget that a good place to start is our HTN Knowledge Bot. It’s our smart search tool that makes it easier to access the wisdom shared within the HTN powered by ChatGPT. You can log in and use it on the website (here) or see how to use it directly in Slack here.

Check out the example ask below!

Member Question:

What startups are building in the Alzheimer's and dementia space?

Knowledge Bot Answer:

There are several startups that are building in the Alzheimer's and dementia space. Here are some notable ones:

1. is a platform for dementia prevention and management aiming to democratize specialist dementia care. They provide a platform for personalized dementia assessment, monitoring, and care planning. You can learn more about them here.

2. Neuroscape: Neuroscape is a company that is developing a virtual reality (VR) platform for dementia and Alzheimer's. Their VR app, called Labyrinth, aims to support research and prevention of Alzheimer's disease. You can find more information about them here.

3. Together Senior Health: Together Senior Health focuses on Alzheimer's disease and Medicare Advantage plans. They have transitioned from research mode to commercial launch and aim to make a meaningful impact in the Alzheimer's care space. You can read more about them here.

4. Cognito Therapeutics: Cognito Therapeutics is a medical device company focused on developing non-invasive neuromodulation technologies for the treatment of Alzheimer's disease. They recently raised $73 million in a Series B funding round. You can read more about them here.

Please note that this is not an exhaustive list, and there may be other companies working in the dementia/Alzheimer's space.


Here we highlight helpful resources from across the community:

Join the conversation

or to participate.