Blogs featured image
Blog/Data Security, Privacy, and Compliance

A More Practical Approach to HIPAA Expert Determination

Author

Read Time 8 min

Most Expert Determinations are not shaped by statistical analysis alone. They are also shaped by factors beyond the dataset, including how the data will be used, who can access it, and what safeguards apply. 

Historically, Expert Determination workflows have often emphasized conservative, data-focused assumptions. That approach plays an important role in protecting privacy and supporting consistent execution. But as health data use cases become more complex, there is an opportunity to account for context in a more structured way.

Datavant is introducing a new contextual privacy framework for HIPAA Expert Determination that builds on established statistical methods while incorporating safeguards, access controls, and intended use into the risk assessment. The goal is to support defensible determinations while reducing unnecessary impact on data utility where the overall risk remains very small, and do so in a structured, scaleable, efficient, and repeatable fashion.

Early pilots of this framework across multiple clients and use cases have shown consistent results: fewer unnecessary data remediations, faster determination timelines, and greater client confidence in the outcome.

The Opportunity: Incorporating context more systematically 

Under HIPAA, Expert Determination requires that the risk of re-identification be “very small” based on accepted statistical and scientific principles (45 CFR §164.514(b)(1)). As a result, expert determinations can begin with the conservative assumption that the dataset may face broad exposure and only limited safeguards.

Starting from these baseline assumptions can be appropriate, particularly when data may truly be broadly shared, used for multiple purposes, or placed in less controlled environments. It can also create a clear and repeatable starting point for analysis. However, applying these assumptions across every dataset, environment, and use case, as a one-size-fits-all approach, may lead to:

  • Treating all environments as if they have minimal safeguards
  • Applying fixed rules to data elements regardless of context
  • Using static thresholds that don’t adjust for use case or controls

While this consistency can simplify execution and support repeatability, it may also lead to additional remediation that does not materially reduce overall re-identification risk. When teams seek to account for safeguards or use-case limitations later in the process, these considerations can be harder to evaluate consistently, potentially extending timelines and making determinations more difficult to document and explain.

A shift toward a structured framework for contextual Expert Determination

Datavant’s new framework continues to support the HIPAA requirement that re-identification risk be very small, while providing a more structured way to evaluate the factors that contribute to that risk. While privacy experts have long acknowledged that context influences re-identification risk, our framework provides a systematic, quantitative, and repeatable way to incorporate those factors into the determination process while maintaining rigorous privacy standards. Safeguards, access controls, and intended use are evaluated as core inputs to the risk assessment, rather than as informal considerations or late-stage exceptions.

Conceptually, re-identification risk can be understood as a function of both the characteristics of the data and the likelihood that an attempted re-identification event could occur:

Probability of re-identification = (Probability of re-identification given a particular threat) x (Probability of the threat occurring)

The first part of the equation reflects the risk inherent in the data itself, or how likely re-identification is from a particular threat. The second depends on context, meaning how the data is used and shared, which affects the likelihood of a threat. By separating these components, the framework provides two levers to modify the re-identification risk: remediations to change the re-identification risk of the data and safeguards to lower the likelihood of threats occurring. 

Datavant is introducing a structured contextual privacy framework for HIPAA Expert Determination that operationalizes what HHS guidance already permits experts to consider. This new framework is also consistent with HIPAA de-identification guidance and the International Standard for Privacy enhancing data de-identification framework (ISO 27559) as administrative, technical, and physical safeguards are directly relevant to re-identification risk. With this risk framework, we make these safeguards central.

This framework is designed to be:

  • Transparent, supported by clear documentation of inputs, assumptions, and models
  • Consistent, enabling repeatable application across similar use cases
  • Grounded, aligning with HIPAA’s Expert Determination standard and based on robust statistical and scientific principles

Together, these elements make determinations easier to explain and easier to defend.

Preserving data utility for early adopters

For early adopters, the framework has been especially useful in cases where traditional approaches would have required substantial data modification or limited the value of the analysis. This increased confidence stems from determinations tailored to the client’s actual environment and grounded in clear, defensible privacy principles.

The following examples demonstrate how contextual assessment can support high-utility outcomes while maintaining the HIPAA “very small” risk standard. 

Flexible handling of deceased patients

This dataset initially failed traditional Expert Determination thresholds with no clear path to remediation without compromising data utility. By incorporating strict access controls and persistent administrative safeguards, the new framework enabled a defensible path forward—turning a blocked use case into an approved one.

Including household or family IDs

Household IDs can add risk to a dataset as linking multiple family members can reveal highly distinguishable family compositions. However, the total re-identification risk from household IDs depends on the contents of the dataset, what reference information is “reasonably available”, and how likely it is that an attacker could link the information to attempt re-identification. In addition to assessing the dataset itself, a contextual assessment of safeguards and environment provides bounds on the risk of an attack, in some cases allowing these household or family IDs to be retained—preserving critical analytical value while still meeting the “very small risk” standard.

Limiting the suppression of diagnostic codes: birth codes

Birth codes in a client dataset pushed risk above standard thresholds under traditional approaches. With controlled access and aggregation limits factored in, the framework supported retaining this data, avoiding unnecessary redaction while maintaining compliance.

This contextual privacy framework allows our clients to retain greater data utility while continuing to support defensible HIPAA expert determinations. 

“The new privacy framework has already delivered meaningful improvements for us. The Datavant team’s rigorous methodology has made our team confident that our expert determination will stand up to scrutiny while allowing us the highest data utility.” 

Elisa Radice, Vice President, Product & Data Platform, Clarify Health Solutions

What to expect from an expert determination using this new framework

Expert determinations that use this new framework begin with a Safeguards Questionnaire, capturing:

  • Security controls and infrastructure
  • Access limitations and user controls
  • Governance and oversight processes

Datavant’s privacy team will review the results of the questionnaire and determine the overall level of safeguards in the context of how the data will be used and shared. Safeguards are evaluated on a spectrum ranging from public data releases, where no controls are assumed, to highly restricted data-use environments with safeguards that exceed industry standards.
Our privacy team then calculates re-identification risk using project-specific statistical models, informed by:

  • The client’s safeguards and access controls
  • The structure and uniqueness of the dataset
  • The intended use and exposure risk

Rather than applying a single statistical threshold across all projects by default, we systematically assess whether the overall risk is “very small” in the full dataset context. This approach recognizes that safeguards and use-case limitations may reduce the amount of risk that must be mitigated through dataset modification, while remaining aligned with accepted statistical methodologies and regulatory expectations. Applying this framework systematically means dataset utility is optimized by standard, without ad-hoc decision-making or course correction.

From the risk assessment, the privacy team will provide a set of data remediations or additional safeguards to lower the risk of re-identification until it is lower than the risk threshold determined by our privacy experts for the project context. That often means:

  • Fewer transformations that reduce data usability
  • Less need to suppress or generalize valuable variables
  • Better alignment with analytical and operational needs

Expert determination projects using the new framework follow a familiar workflow but result in more usable data while maintaining strong HIPAA privacy standards.

Future of Expert Determinations

This framework is a step toward a more scalable approach to privacy. Over time, it will support:

  • Automated workflows for Expert Determination and reporting
  • Quantitative risk scoring surfaced to users
  • Client-facing controls to adjust remediation trade-offs within expert-defined limits on overall privacy risk
  • Expansion to support both structured and unstructured data in the same workflow

More broadly, this reflects a shift toward privacy models that can scale with the complexity of modern data use.

HIPAA de-identification requires that re-identification risk be very small and that the method used to assess it is sound. Robust de-identification programs integrate quantitative measures of risk, data context, safeguards surrounding the data use, and align with established risk assessment frameworks like the ISO standard. That combination is what makes scalable de-identification possible without losing sight of the underlying privacy standard.

If you’re evaluating how to modernize your Expert Determination approach, contact us to walk through how this framework can be applied to your data.