Overdose Risk Prediction Algorithms: The Need For A Comprehensive Legal Framework

Risk prediction has permeated many aspects of modern life, including health care. Algorithms developed using advanced statistical methods have been used to identify hospitalized adults at risk of clinical deterioration, reduce hospital readmission rates, and improve resource allocation and health care use. These methods have also been used to develop predictive models for overdose risk among specific patient populations. Most of these overdose-specific applications, however, have been limited to health care settings using health care utilization or insurance claims data.

State and local governments are increasingly integrating health- and non-health-sector data for public health purposes, creating an opportunity to use these data to improve overdose risk prediction models. Advanced analytics approaches, such as machine learning, can guide the deployment of limited resources by more accurately identifying overdose risk among individuals who encounter public systems and alerting stewards of these systems about upstream opportunities to intervene. Public health and social service agencies may then be able to deliver targeted preventive public health interventions. Indeed, information regarding criminal justice involvement and incarceration, prior mental health and substance use disorder (SUD) treatment, child welfare, and vital statistics, can improve overdose risk prediction when compared to using health care utilization data alone.

The use of algorithms by public agencies will almost certainly increase in the near future, which will raise unique legal considerations around information sharing, privacy, responsibility, and liability. The United States lacks a comprehensive legal framework to guide this emerging technology as it relates to overdose prediction.

To initiate public discourse, we make the case for the role of risk prediction in overdose prevention and then consider some of the key legal concerns about overdose risk prediction models. Our aim is to encourage state and local collaboratives to proceed thoughtfully in the application of predictive algorithms to reduce overdoses in their communities, as well as to emphasize the need for a robust legal framework to govern this work in the future.

The Case For Risk Prediction In Overdose Prevention

Annual overdose deaths are now the highest they have ever been, despite years of extensive federal and other investments. For the 12-month period ending in December 2021, the National Center for Health Statistics estimated that the number of overdose deaths surpassed 100,000 Americans. This raises the question of how to allocate prevention and treatment resources to reach those at greatest risk of overdose. Epidemiological analyses alone have been insufficient to prioritize prevention resources and interventions to populations at highest risk of overdose.

The opportunity to better target interventions to people at elevated risk of overdose has been enhanced through the integration of health- and non-health-sector data. For example, the integration of carceral and death certificate data suggests that interventions could be prioritized for those leaving carceral settings. People are 40 to 129 times more likely to die of an overdose during the two-week period following release from prison, compared to other individuals. When one county integrated Medicaid, court, medical examiner, and jail records over a four-year period, it found that, in the month prior to overdose death, 23 percent of those who had died had contact with adult probation; among people eligible for Medicaid, 28 percent of those who had died had been involved in mental health treatment and 23 percent had been involved in SUD treatment.

Disaggregating data in epidemiologic analyses or integrating and analyzing cross-sector data improves identification of populations at higher risk of overdose. However, it remains at the discretion of decision makers at the state and local levels to apply these findings to target resources to those most at risk of overdose. Predictive analytics promises to help target limited resources to achieve the greatest public health impact. Nevertheless, to fulfill the promise of this advanced technology and prevent its potential misuse or abuse, it is critical to examine the legal landscape for public algorithms, that is, predictive algorithms applied in public systems.

Example Of How Advanced Analytics Can Be Applied To Reduce Overdose

We offer the example of a project in which the authors are engaged to illustrate where the legal landscape may need refining to accommodate this new technology of developing and deploying public algorithms to target public health interventions where they may be most effective.

Nearly one in five people who died of an overdose in our community had a recent jail release. To address this problem, we are using integrated health- and non-health-sector data from our county to develop an algorithm that identifies individuals at the time of a jail booking who may be especially vulnerable to a future overdose. After refinement to address racial and other algorithmic biases, our goal would be to deploy or run the algorithm in the county’s integrated data warehouse using data (where available) regarding past encounters with public entities such as courts, jails, homeless services, and health care entities to generate an overdose vulnerability score for each person booked in the jail. A list of individuals identified as being especially vulnerable to an overdose within 90 days following jail release could then be shared with an intervention partner to deliver an evidence-based, low-threshold intervention that makes minimal demands on the participant and reduces barriers to service (for example, offering Naloxone and medication for opioid use disorder). The intervention partner would receive information limited to name and contact information and, by virtue of being identified as high risk, information that this person is at higher risk of overdose than others at the time of jail booking.

Using this example, we examine the applicability of some of the existing laws protecting health privacy as they relate to generating this vulnerability score and identifying individuals who are especially vulnerable to overdose. We also introduce other, non-health privacy laws that may apply. Finally, we explore questions for which a legal framework is not yet clear.

HIPAA And 42 CFR Part 2 Are Not Applicable In The Generation Of A Vulnerability Score

Frequently, legal departments of government agencies, managed care organizations, or community providers perceive that the use of records related to SUDs for population health purposes such as those described above may be prohibited by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its associated regulations, and the 42 C.F.R part 2 Regulations (the Part 2 Regulations). HIPAA provides a general framework for the protection of certain health information and permitted uses and disclosures of such information. The Part 2 Regulations, authorized by 42 U.S.C. 290dd-2, impose stricter restrictions on the use of SUD records in terms of what can be shared and redisclosed even with patient consent. These laws have been on the books for dozens of years, but wide variability in interpreting the permitted use of these records remains a barrier to applying new technologies to use these data to combat the now decade-long national overdose crisis. We, therefore, attempt to clarify where these established laws may apply and where they may not.

The United States does not have a comprehensive legal framework to safeguard personal health information privacy in both health- and non-health-settings. HIPAA and its privacy, security, and breach notification regulations—as well as the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, which strengthened HIPAA’s privacy and security protections—provide the foundation that governs privacy and security of health information at the federal level. Under the HIPAA Privacy Rule, health information that does not identify an individual, and for which there is no reasonable basis to believe that it could be used to identify an individual, is not considered to be protected information.

Enacted prior to HIPAA and revised several times (most recently in July 2020), the Part 2 Regulations were designed to provide heightened protection to records of individuals who seek treatment for SUDs from federally assisted programs. The Part 2 Regulations do not prohibit disclosures of records that do not identify a person as a patient in SUD treatment and thus do not apply to de-identified records.

When applying an algorithm to identify individuals who may be vulnerable to an overdose in the near future, a score is generated. In itself, this vulnerability score shares no health information protected under either HIPAA or the Part 2 Regulations. While a vulnerability score may be related to a person’s health (overdose is most certainly a health issue), it discloses nothing specific about that person’s past health care use or health status. Some of the input variables that created the model, such as past SUD treatment use, would individually be subject to HIPAA and Part 2 Regulations, whereas others, such as the overdose rate in a community or arrest records, would not. Regardless, a vulnerability score in itself, or simply identifying an individual who is likely to experience a future overdose based on such a score, would not communicate whether or to what degree any combination of those variables and dozens of others contributed to an individual’s risk.

Thus, while HIPAA and the Part 2 Regulations may protect SUD records in certain circumstances, they do not apply to generating a vulnerability score and using it to identify people to whom prevention services will be offered. Nevertheless, other privacy laws may apply to the generation and use of a vulnerability score.

Other Laws That Might Be Implicated

In addition to HIPAA and the Part 2 Regulations, there are federal laws that have been developed to govern other forms of privacy. For example, some federal laws govern privacy of personal information and provide protection for consumer electronic data. These laws typically target specific industries or types of data. The Gramm-Leach-Bliley Act imposes data protection requirements on financial institutions. Additionally, the Federal Trade Commission (FTC) Act prohibits “unfair or deceptive acts or practices;” the act has been used by the FTC to plug the holes left by the patchwork nature of US privacy law. Further analysis should be done to determine whether these non-health privacy laws apply to the generation and use of an overdose vulnerability score.

Particularly because there has been a recent push by states to enact comprehensive privacy laws, the application of state laws to the use of vulnerability scores must be considered as well. The California Consumer Privacy Act (CCPA) of 2018 and the Virginia Consumer Data Protection Act are examples of such state laws, which vary in regard to whom they apply, what exemptions are included, how personal information is defined, to whom the protection extends and what rights are protected, and available enforcement mechanisms. This variation adds an additional layer of complexity to considerations of predictive analytics and privacy protection that could be alleviated by a comprehensive legal framework.

Risk Of Re-Identification

The majority of US privacy laws, including HIPAA and the Part 2 Regulations, predate the era of big data and do not contemplate either the use of risk prediction or the use of health and health-related data outside the health care system. As such, these laws do not address the fact that sophisticated computer programs might be able to re-identify individuals by matching personal data available elsewhere to that used to generate a vulnerability score. Potential for reidentification of a particular individual is thus an important legal and data security consideration when employing predictive analytics for overdose prevention.

Reidentification risk will vary depending on the type of modeling that is employed. Vulnerability scores developed from machine learning and other computer science modeling strategies are calculated from a non-linear combination of tens and sometimes hundreds of variables. It is impossible to know which of the underlying variables and which combinations of variables contribute to a specific vulnerability score, and therefore reidentification risk is very low. In contrast, vulnerability scores developed through other strategies, such as logistic regression, may add points from scores on independent variables to determine an overall vulnerability score. In these models, it may be possible to reidentify an individual by retrospectively comparing known data—for example, a person’s history (number of emergency department visits plus number of arrests, and so forth)—to the regression score to confirm the identity of the person and relation to the score. Thus, using more complicated machine-learning techniques in risk prediction affords arguably more data protection when compared to other strategies.

Discussion And Conclusion

There is much promise in employing predictive analytics to advance public health strategies and identify the most vulnerable individuals in a worsening national overdose epidemic. In this essay, we characterize the use of risk prediction to guide upstream preventive interventions with vulnerable individuals as a natural progression from improved epidemiology and the integration of public systems data. We argue that while many feel constrained by HIPAA and the Part 2 Regulations, neither law prevents the use of health care, or even SUD treatment, records to develop a predictive algorithm, and neither applies to alerting community partners that are capable of intervening with individuals identified as especially vulnerable to an overdose.

Despite the limitations of existing laws, it is important to clarify which, if any, could prevent a local or state government from identifying individuals vulnerable to a fatal overdose and working with a partnering community organization that has capacity to intervene. It would also be instructive to identify any risk of liability if agencies have access to an algorithm that identifies individuals who are vulnerable to a fatal overdose but do nothing meaningful to intervene.

Predictive analytics may have a key role to play in overdose prevention. Before the promise of these technologies can be realized, however, a comprehensive legal framework to address information sharing, privacy, responsibility, and liability is necessary. Such a framework is needed to give government agencies guidance and confidence in adopting these new technologies to effectively allocate resources to those at greatest risk of fatal overdose.

Authors’ Note

The authors received funding from the Richard King Mellon Foundation for development and implementation of an opioid overdose risk prediction model. The contents of this article reflect the views of the authors alone and not those of the foundation.