There are many challenges to be addressed e.g. ....
- De-identification - more challenging than it seems since often data has to be longitudinal (maintains individual patient histories) to get the best value out of it, but if not properly performed then knowledge of one patient event can allow you to re-identify that patient's entire record
- Application Audit for created initiatives/devices etc. Essentially data access audit at the Application level (why does doctor x prescribe drugs where the patient address matches addresses in the HR database). Scotland has invested in tools to do this. Needs to extend into these uses as well.
- Appropriate review and oversight by Data Access Committee/Research Ethics Board which have suitable skilled members (the last bit being very important) to consider the benefits and risks to proposed initiatives. As well as establishing appropriate oversight of the actual access.
As a side matter - I did work with a large hospital that was slicing and dicing data in their own data-mart for research purposes, but had also poured all the HR data into it... I said - oh so now you can compare how many patients of doctor x die versus doctor y and factor in how much you pay them, to optomise staff on a kill-cost basis!