September 27, 2018

Big Data: The Next Revolution in Healthcare Operations

Mary Beth Johnston and Leah D’Aurora Richardson, K&L Gates, LLP, Research Triangle Park, NC


Big data is everywhere.

In healthcare, big data refers to the large quantities of complex electronic data sets that are difficult to manage with traditional data management tools and software.1 The capture, conversion and analysis of healthcare big data through increasingly sophisticated data analytics is driving new and valuable insights simply not possible with small data. Knowledge gained through big data analytics has the potential to improve the quality and delivery and lower the cost of healthcare. In fact, it is the continuing explosive growth in healthcare costs that is driving the demand for big data in the healthcare provider sector. Such demand is driven primarily by reimbursement reforms which has shifted the focus from cost and volume based payment methodologies to rewarding value, efficiency, quality and outcomes. Such payment methodologies are dependent on practicing evidence-based medicine developed through big data analytics and are critical to population health management.

CMS Use of Big Data

As the largest single payor of healthcare services in the country, the Centers for Medicare & Medicaid Services (CMS) is facilitating and expediting the pace of healthcare’s big data revolution by using advanced data analytics for everything from fighting fraud and abuse to informing policy decisions and evaluating CMS programs to supporting research.2

In 2011, CMS implemented the Fraud Prevention System (FPS) to detect and prevent healthcare fraud, waste and abuse as part of its national comprehensive program integrity strategy. The FPS utilizes sophisticated predictive algorithms and analytics by screening all Medicare fee-for-service claims prior to payment to identify anomalous billing patterns. The red flags from this Medicare claims screening lead CMS and its contractors to conduct closer claims reviews and initiate fraud investigations. The FPS has proven quite effective. According to a recent report, CMS boasted $654.8 million in identified or prevented inappropriate payments during calendar year 2015 either directly through the FPS or indirectly through investigations with FPS involvement, which translated into an approximately $11.51 to $1 return on investment.3

In perhaps a lesser known example, CMS’s Qualified Entity (QE) Program is another part of CMS’s broader effort to utilize big data analytics to drive the improvement of healthcare delivery and quality while lowering costs. Implemented in 2012, the QE Program enables certain qualified entities to receive Medicare Part A and Part B claims data and Part D drug event data for use in evaluating provider and supplier performance and requires these entities to produce and publicly disseminate CMS-approved reports on provider performance that combines Medicare claims data with claims data from other payor sources, such as private payor data.4

The QE Program was recently expanded by the Medicare Access and CHIP Reauthorization Act of 2015 to permit qualified entities to create non-public analyses and provide or sell such analyses to authorized users, as well as to provide or sell combined data, or provide Medicare claims data alone at no cost, to authorized users.5 According to CMS, the expansion “allows approved organizations to confidentially share or sell analysis of Medicare and private sector claims data to providers, employers, and other groups that can use the data to support improved care.”6 As of August 1, 2016, CMS certified 14 organizations as qualified entities, including four organizations that report nationally.7

The Influence of Big Data on Institutional Healthcare Operations

Many hospitals and healthcare systems have developed advanced data analytics programs and invested in spin-off analytics companies to harness big data to improve healthcare operations and patient care. Such analytics programs have proven effective in predicting healthcare outcomes, guiding providers’ treatment protocols. In short, big data analytics have profoundly changed the manner in which institutional providers approach clinical operations and patient care. Because data analytical capabilities are required to harness the knowledge captured within big data, early converts to its potential understandably have been large health systems and academic medical centers. A few well-known examples are as follows.8

In 2012, Carolinas HealthCare System (CHS), one of the nation’s largest healthcare organizations, created its centralized healthcare analytics group, Dickson Advanced Analytics (DA²), which focuses on evidenced-based population health management, individualized patient care and predictive clinical modeling. CHS’s integrated advanced analytics platform has the ability to almost instantly integrate patient information with clinical, billing and claims data. CHS healthcare practitioners have access to real time patient specific readmission risk analyses, are able to analyze and identify clinical best practices, and utilize payor claims data to identify patients who need additional services to prevent future complications. In 2013, CHS joined forces with other healthcare systems to launch the Data Alliance Collaborative, which combines data and other resources from four geographically distinct healthcare systems and uses big data analytics to improve population health.9

The Mayo Clinic has also invested heavily in big data analytics across its national healthcare enterprise to both redesign its operations and improve healthcare delivery. Big data is further used to analyze and in turn mitigate payment reform’s impact on its bottom line. When a recent comprehensive assessment of the use of big data within the organization identified that the institution was spending more energy on collecting data than utilizing analytics to develop effective information that could be applied in practice, the Mayo Clinic committed additional personnel to its internal data analytics effort in order to focus on improving data quality while empowering personnel to utilize available data tools.10

Like many large healthcare organizations, the Mayo Clinic has also invested externally in big data analytics. In 2014, Mayo Clinic clinical personnel obtained outside venture capital investment and launched Ambient Clinical Analytics, a company focused on providing clinical support tools through an analytics platform to intensive care, operating room and emergency departments that is accessible in real time. Ambient Clinical Analytics’ platform includes clinical electronic medical record (EMR) and patient management tools that utilize analytics to filter relevant patient data and support best-care practices, and are meant to “make all of those things available at a glance without moving in and out of different applications, allowing for improved patient satisfaction and the ability to deliver care at a lower institutional cost.”11 Optum Labs, a private collaborative partnership focused on big data analytics to support healthcare research and innovations and its subsequent use in the clinical setting, grew out of a partnership between the Mayo Clinic and commercial insurer United Health Group. Optum Labs now includes among its partners pharmaceutical manufacturer Pfizer and the Department of Health and Human Services and is one of the four national scale reporting entities in the CMS QE Program.12

Cleveland Clinic has also integrated big data analytics into its healthcare operations system wide. Its Business Intelligence Department operates the Clarity Repository, which is an embedded data repository connected to the EMR that supports data warehousing, mining, management and analytics reporting. According to a senior program administrator within the Department, the focus of operating the Clarity Repository is answering meaningful questions that have the power to actually influence clinical decision-making and increase the quality of care at a lower cost.13

Like the Mayo Clinic, Cleveland Clinic commercialized a data analytics platform developed within its institution called Explorys, which was spun off as a separate company in 2009. The Explorys platform was purchased by IBM in April 2015 and now houses a clinical database that includes de-identified data on more than 50 million individuals from at least two dozen health system clients representing about 360 hospitals and over 55 million patients. Explorys offers real-time reports on a customizable dashboard of quality metrics and permits providers to analyze de-identified data from their own and other providers to identify patient risk factors, track clinical outcomes, and evaluate treatment models.14

Legal Considerations for Big Data Analytics

As the healthcare sector continues to collect and analyze big data and develop sophisticated analytical tools to corral big data’s utility, it is creating new legal questions and challenges not previously encountered.

Healthcare fraud and abuse laws, such as the federal Anti-Kickback Statute15 and the Stark Law16 are primarily focused on financial relationships in the healthcare industry, and therefore from a regulatory compliance perspective, the fundamental importance of properly analyzing and structuring financial relationships between healthcare entities and providers cannot be overstated. Compliant arrangements, most especially between providers that have referral relationships, must reflect a fair market value exchange of items and services, which includes arrangements related to the exchange of data sets, the development of analytics models, platforms and software, and results derived from data analytics. Generally, the healthcare industry relies on traditional valuation methods, such as cost-based, income-based, and market-based methods, to determine the fair market value of items and services and to structure compliant financial relationships. However, these traditional approaches are difficult to apply to data-related valuations, and there are no other generally accepted guidelines for properly analyzing the value of data and data analytics to date. Moreover, there are unique issues related to the actual value of the data exchange, particularly when the parties are permitted under the arrangement to retain a copy of their data. Consequently, concerns regarding properly structuring fair market value arrangements are heightened as healthcare providers seek to collaboratively commercialize and monetize data analytics platforms or evidence-based methodologies produced from data analytics programs. In order to remain compliant, healthcare providers must ensure that their financial relationships can pass regulatory muster.

The intersection between healthcare data analytics, patient privacy and humans subject research is another example. Big data repositories maintained by healthcare institutions may contain identifiable clinical data and payor claims data protected under federal law, such as the Health Insurance Portability and Accountability Act (HIPAA),17 as well as myriad state privacy laws. HIPAA, for instance, may permit identifiable patient data to be used for research purposes, which may or may not be subject to Institutional Review Board (IRB) review. However, even when the use of big data at this initial level is permissible under HIPAA and is being properly overseen by an IRB or is IRB-exempt,18 the results of these analytics are often used to construct additional data sets, analytics models and platforms, and software that are later used by other institutions to guide clinical decision-making as part of a collaborative or are commercialized. Sometimes even the big data sets themselves are intended to be transferred to databases for collaborative or commercial use. At what point do big data sets themselves, or the platforms, software and other results derived from such big data, whether used inside or outside the institution generating the data, become subject to other research requirements (notably, for instance, notice and consent requirements)? Or at what point does big data or its results cease to be protected by privacy and security requirements under HIPAA or otherwise?

Other novel legal and regulatory issues may include ownership as intellectual property of big data sets or the resulting analytics products, discoveries and insights; jurisdictional requirements related to cross border collection and transfer of data; federal and state regulation and restrictions related to the commercialization and monetization of big data sets, analyses, analytics products, and resulting discoveries; and liability, risk management and insurance coverage issues.


Just as the explosive growth of telehealth forced federal and state legislation and policy to advance and to modernize the thinking of lawmakers, insurers, and professional licensing boards, the use of big data analytics is creating legal and regulatory challenges for providers as technology once again outpaces the law and policy. However, at a seemingly faster pace than telemedicine, big data analytics has already proven an effective tool for providers to increase operational efficiency while improving clinical care at lower costs. For many institutions, data analytics is already firmly embedded in its operations and providers of all sizes will surely follow. Effectively assisting these clients will require sophisticated counsel that understand the broader legal and regulatory environment concerning the use, transfer, and commercialization of big data.


Mary Beth Johnston is a partner in the firm’s Research Triangle Park office and is co-leader of the firm’s healthcare practice group.  She concentrates her practice exclusively in health law, representing academic medical centers, hospital and health systems, accountable care organizations and other providers on a wide variety of regulatory and transactional matters, including but not limited to HIPAA and emerging data governance matters, Stark, Medicare Anti-Kickback Statute and Medicare reimbursement matters, and complex hospital reorganizations and acquisitions.  Ms. Johnston served as Vice-chair of the ABA Health Law Section’s eHealth and Privacy Interest Group from 2000-2003.  She may be reached at

Leah D’Aurora Richardson is a senior associate in the firm’s Research Triangle Park office.  Ms. Richardson focuses her practice on all areas of regulatory health law, including advice related to the 340B Drug Discount Program, appeals related to the Recovery Audit Contractor program, telemedicine, Medicare reimbursement, government investigations, and analysis of potential Stark and Anti-Kickback matters.  Ms. Richardson also has specialty expertise in the representation of academic medical centers on research, privacy and complex contracts arising in a university setting.  She may be reached at


Raghupathi and Raghupathi, Big Data Analytics in Healthcare: Promise and Potential, Health Information Science and Systems 2:3 (2014),


CMS, How CMS is Using Big Data to Spur Healthcare Transformation Presentation,


CMS, Fraud Prevention System Return on Investment,; The CMS Blog,


CMS, Medicare Program: Availability of Medicare Data for Performance Measurement, 76 Fed. Reg. 76,542 (final rule, Dec. 7, 2011). In order to be eligible as a qualified entity, CMS requires entities to demonstrate expertise and sustained experience (defined as three years or longer) performing a variety of tasks outlined in 42 C.F.R. § 401.705 related to participating in the QE Program in three substantive areas: (i) accurately calculating quality, efficiency, effectiveness or resources use measures from claims data, (ii) combining Medicare claims data with claims data from other sources, and (iii) establishing and maintaining a rigorous data privacy and security program and enforcement mechanisms.


The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), Pub. L. 114–10, § 105; Centers for Medicare & Medicaid Services, Medicare Program: Expanding Uses of Medicare Data by Qualified Entities, 81 Fed. Reg. 44,456 (final rule, July 7, 2016).


CMS, Press Release, CMS Finalizes Rule Giving Providers and Employers Improved Access to Information for Better Patient Care (July 1, 2016),


For a list of qualified entities currently participating in the QE Program, see


CMS and large institutional healthcare providers are not the only entities hoping to capitalize on the promise of big data analytics. As one of many examples, in February 2017, pharmaceutical industry leaders will convene at the “Big Data Analytics in Pharma” conference for the purpose of “drilling down to the real opportunities for pharma to exploit in order to maximize data use and develop innovative drugs. See


Carolinas Healthcare System,


Greg Slabodkin, “Mayo Clinic initiative takes analytics to the enterprise level” Health Data Management, July 20, 2016.


Jennifer Bresnick, “VC investors bring analytics to the bedside.” Health IT Analytics, March 21, 2014, available at


Optum, Inc.,


Mark Hagland, “At Cleveland Clinic, Embedding Data Analytics Into the Core Culture.” Healthcare Informatics, April 30, 2015, available at


Adam Rubenfire, “Hospitals use big-data platform to improve care.” Modern Healthcare, August 22, 2015, available at


42 U.S.C. § 1320a-7b.


42 U.S.C. § 1395nn.


Pub. L. 104–191, 110 Stat. 1936, enacted August 21, 1996.


The HIPAA Privacy Rule generally requires an individual to provide consent, known as an “Authorization” before a covered entity may use or disclose an individual’s PHI for research purposes. Under limited circumstances, however, a covered entity may obtain a waiver of the requirement to seek an Authorization by an Institutional Review Board or Privacy Board.



Mary Beth Johnston and Leah D’Aurora Richardson, K&L Gates, LLP, Research Triangle Park, NC