cords for patients and their other healthcare providers.
While Mayo Clinic is dedicated to pursuing these solutions
and ideas, institutional leadership quickly realized that these
more innovative means of providing and managing care pose
some significant challenges.
Challenges to Address
Mayo Clinic realized that the institution has an abundance of
highly talented medical professionals and administrative staff
who specialize in healthcare, but it did not have the internal
expertise to develop or replicate the rapidly changing technological innovations that were occurring outside of the hospital
walls. This motivated Mayo Clinic to approach external technology companies and other specialists (“third parties”) that could
provide the technology solutions needed to meet the goals of
improving cost, quality, and access. As clinical departments at
Mayo Clinic began to rethink their care delivery strategies, the
volume of requests to engage external technology solutions increased dramatically and became nearly unmanageable.
In the midst of this increased demand for external technology
solutions and services, Mayo Clinic was ramping up its information security efforts in response to the increasing number of
significant cyberattacks and breaches occurring in the healthcare industry. The transition from paper medical records to
electronic health records was an incredible advancement from
a clinical care perspective, but it also made enormous amounts
of health information more accessible—and vulnerable—than
ever. Hackers are motivated to target patient data because it
generally has a higher resale value on the dark web than other
types of personal information. 1 A successful hacker can steal the
identity of millions of patients or encrypt a hospital’s servers to
block access to medical records until a ransom is paid.
Managing Competing Objectives
Mayo Clinic was faced with competing objectives: leverage PHI
to decrease costs, improve quality, and increase access to care
while also enhancing the protection and security of that same
data. From an information security perspective, allowing third
parties to receive, store, and/or access PHI posed greater risks.
Yet, many of the technology initiatives that Mayo Clinic wanted
to pursue would have been too costly and inefficient to develop
without the assistance of a third party with the necessary technological expertise.
There are many risk-related questions that arise when examining requests to disclose data. For example, what types of information security assurances and safeguards should be required for
the third parties who have access to PHI? Should a large, well-established third party receive the same degree of scrutiny as a
small start-up company with a cutting-edge technology product
to sell? How does a healthcare system manage and coordinate
the enormous volume of requests to share PHI with third parties?
How should a healthcare system manage subcontractors, off-
Developing a Risk-Based Framework
shoring, and non-standard contract terms? How does an institu-
tion protect ownership of their data and the intellectual property
value it holds when it’s de-identified? Will other types of identifi-
able data held by Mayo Clinic, such as the personally identifiable
information (PII) in its role as an employer and academic institu-
tion, undergo the same level of review as PHI?
Mayo Clinic leadership recognized that large-scale data transfers of sensitive PHI and PII needed sufficient oversight and
governance on an ongoing basis and as a result established a
Data Disclosure Oversight Committee (DDOC). The organization has a long history of utilizing multi-disciplinary teams in
clinical practice areas. Aligning with this tradition, the committee membership is strategically comprised of a multi-disciplinary team of experts bringing their perspective and expertise to
the table. The committee includes representation from the clinical practice, privacy, legal, risk, information security, IT, supply
chain, and business development departments to help ensure
that a broad range of risks are considered during reviews. The
cross-disciplinary membership is essential for expertise and to
serve as a check and balance for the proponent who often is motivated by a narrower agenda. Internal policies were established
requiring DDOC review of external transfers of PHI and PII during both the initiation of new third-party contracts as well as
during contract renewal phases.
The committee prioritized deploying a balanced approach
to supporting business and practice priorities while helping to
carry out sufficient governance and oversight of external data
transfers to third parties. They agreed that risks associated with
data transfer requests warrant examination, risk mitigation,
and, in certain circumstances, formalized risk acceptance. Early
in its inception, the committee acknowledged the importance
of leveraging a risk-based approach for reviewing data transfer
requests and emphasized the importance of leveraging risk-based principles for vendor management. As the review process
evolved and matured, DDOC identified common risk categories that consistently surface in data transfer requests. A strategic priority was placed on documenting these common risk
categories to develop a corresponding risk scoring framework to
consistently calculate risk using a standard set of principles. The
risk scoring criteria promotes a more standardized review and
consistent measurement of associated risks.
Standardized Data Disclosure Risk Scoring Criteria
Figure 1 on page 20 illustrates the standard risk scoring criteria developed by the Mayo Clinic’s DDOC that is utilized within
the Data Disclosure Program. The overall risk scoring equation
possesses a combination of vendor-specific and project-specific
risk categories. The weight given to each of the risk scoring sub-categories was assigned based on committee dialogue, consensus, and documented risk mitigation priorities.
Data Volume and Data Sensitivity
Heavy emphasis is placed on the volume of individually iden-
Third-Party Data Disclosure