Second in a three-part series: “Patient privacy and healthcare data exchange: What privacy and compliance officers need to know to de-identify patient data and stay HIPAA compliant.“
Expert determination is a preferred method for healthcare organizations looking to make their datasets HIPAA compliant. Doing so at speed and scale, however, requires a unique combination of specialized skills in statistics and scientific principles; knowledge of Health Insurance Portability and Accountability Act (HIPAA), privacy principles, and diverse sources of data and use cases; and access to advanced privacy technology.
In the first of this three-part series, “What does it mean to “de-identify” data?,” we focused on what it means to de-identify healthcare data under HIPAA and the different methods available to do so.
In this segment, we look at five key considerations for obtaining fast and fit-for-purpose HIPAA expert determination that can make privacy and compliance a more seamless, transparent and scalable process.
- Data quality and standardization: Experts look for clear alignment between the data dictionary and the dataset or sample provided, as an indicator of data quality.
Regarding standardization, organizations looking to move quickly may consider using multiple different experts to scale the effort. However, the use of potentially distinct and non-standard approaches across different experts can make it hard to implement efficient practices that make HIPAA compliance an ongoing and scalable process. Working with the same expert builds familiarity with their approach, reducing time to project completion.
- Understanding of use cases: A deep understanding of what the dataset or combined datasets will be used for helps the expert conduct a fit-for-purpose assessment of which fields of data are more critical to retain, while preserving patient privacy.
- Speed and scale: Considering the growing need for expert determination in the healthcare data ecosystem, there is a surprisingly small number of experts and companies that specialize in this field. Individual practitioners may have a backlog of projects, and getting your project to the top of their queue may be a difficult and lengthy process.
An organization with a critical mass of privacy experts and the appropriate application of technology can deliver both speed – expert determinations in weeks, not months – and scalability, applying machine learning and human insights from past projects to gain efficiency.
- Technology integration: Once an expert determination report is issued, it is incumbent upon the requester to implement any required changes or remediations to the dataset in order to render it truly de-identified under HIPAA standards. Without in-house expertise or technology, expert determination can quickly become a months-long process.
Experts with access to advanced technology environments are able to recognize similarities in datasets and drive consistency, predictability and speed in how those datasets are handled. Integration of experts with a technology platform can provide the ability to quickly and easily submit single or multiple datasets for expert determination and transparency throughout the project.
In addition, the privacy platform implements the expert’s remediation recommendations and dramatically reduces manual intervention and human error. Experts then conduct a last check to verify that remediations have been applied correctly and produce a final certification.
- Ongoing support and maintenance: HIPAA expert determination is rarely “one and done.” A new expert determination may be needed when new attributes or value types are added, the data is going to a different type of recipient or when two datasets are connected. Combined datasets require a new expert determination and certification, even if the individual datasets were already previously certified by an expert as HIPAA de-identified.
Having an ongoing relationship with the same expert service can help to quickly address new needs as they emerge versus starting over every time. Having access to monitoring and remediation technology ensures ongoing compliance of existing datasets as they grow.
Navigating the expert determination landscape and process can be daunting, from finding an expert and providing the necessary data inputs to understanding reports and implementing recommendations.
Accelerating the process with the right experts and technology can lead to more streamlined, transparent and satisfying processes for privacy and compliance officers.
- In case you missed part one: What does it mean to “de-identify” data?
- Up next: What to look for when evaluating privacy expert services and technology
Editor’s note: This post has been updated on December 2022 for accuracy and comprehensiveness.