The Role of HIPAA De-identification in Improving Health Data Connectivity
For years, we have predicted the convergence of human activity and technological development and the many benefits that their pairing will bring to our health, recreation, work, and world. But if one steps back to pause and reflect, it becomes very obvious that we are already living in this new world and have been for some time.
This is especially true in the healthcare industry. Though many of the promises of this new era of technological development in healthcare ring true, organizations, governments, and patients are also adjusting to the new realities and challenges that this intersection has brought with it.
One of the most turbulent areas in the healthcare industry is the collection and analysis of individual and collective medical data. It has the ability to spark new advances in treatment and care, but it has also introduced new risks to privacy and security.
Guided by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), healthcare providers, policymakers, and researchers have to find the right balance between sharing and analyzing data to drive new positive outcomes and securing data and protecting patient privacy.
Overall, the industry has made great progress implementing data privacy standards. However, these privacy standards have progressed alongside other realizations and developments, including the fragmentation of datasets and increased cybersecurity threats, making it challenging to find secure ways to connect and share data.
Fortunately, new tools and technologies for data protection and HIPAA compliance have developed to help organizations manage protected health information (PHI). In particular, new approaches to the HIPAA-compliant de-identification (HIPAA de-identification) of PHI have made it easier for organizations to link datasets and gain insights while remaining compliant with the HIPAA Privacy Rule.
What are the recent developments in HIPAA PHI data protection requirements and HIPAA de-identification techniques? How can organizations navigate these parallel tracks to expand opportunities to connect health data to drive more positive patient outcomes?
Balancing HIPAA with the growing need for health data connectivity
There is a dichotomy with health data that makes for a delicate balancing act for organizations in the healthcare industry.
On one hand, HIPAA Title II, also known as the Administrative Simplification (AS) provisions, includes the regulation’s Privacy Rule and Security Rule. The Privacy Rule is in place to protect individuals’ medical records, data, and other PHI, including electronic PHI, known as ePHI, by outlining standards that organizations must meet when using or disclosing it. Similarly, the Security Rule outlines the required physical, technical, and administrative safeguards that organizations must put in place to protect the confidentiality, integrity, and availability of all forms of PHI.
On the other hand, organizations across the healthcare ecosystem are beginning to more fully understand the need for connecting disparate health data for more effective research, fast-tracked and lower cost development of new therapies, and ultimately better patient outcomes. However, the full potential of health data in today’s research can only be reached when it can be de-identified while retaining utility. When this de-identification is performed correctly, the impact of both clinical protocols and social determinants of health (SDOH) can be captured, assessed longitudinally, and shared on a neutral platform.
A deeper look into HIPAA’s Privacy Rule and Security Rule requirements
As we reach the 20-year anniversary of the release of the HIPAA Final Rule in 2003, which first defined the Standards for Privacy of Individually Identifiable Health Information, known more informally as the regulation’s Privacy Rule, understanding its impact in today’s digital world is still evolving.
However, the Privacy Rule’s core elements have not changed.
The main goal of the Privacy Rule is to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare and to protect the public’s health and well-being.”
In particular, PHI includes “individually identifiable health information” that relates to:
- An “individual’s past, present, or future physical or mental health or condition,
- the provision of healthcare to the individual, or
- the past, present, or future payment for the provision of healthcare to the individual.”
This information also includes more common identifiers such as name, address, birthday, and Social Security number. However, the Privacy Rule does not apply to an employee’s employment records or a student’s health records as long as their employer maintains that information in their official capacity.
The Privacy Rule also requires all organizations regulated by HIPAA (known as “Covered Entities”) including health plans, healthcare providers, and their associates, to protect and only use or disclose PHI for specific purposes, such as:
- Directly to the individual
- For treatment, payment, and healthcare operations
- Public interest and benefit activities
- Purposes of research, public health, or healthcare operations
HIPAA’s Security Rule
The Security Rule “operationalizes” the Privacy Rule by requiring that Covered Entities that store and transmit PHI can protect the information’s availability, confidentiality, and integrity, but also:
- “Anticipate information security threats, both intentional and unintentional.”
- Ensure their workforce and processes are in compliance with the Privacy Rule.
The growing practice of PHI HIPAA de-identification
Though health information management professionals are identifying new systems, tools, and standards to collect, store, and transmit data about individual patients and their care, healthcare providers, researchers, and policymakers can turn to the process of de-identification to share and use large amounts of PHI data for research purposes. When PHI de-identification is complete, it can enable medical research studies, policy assessments, treatment effectiveness analyses, and other work without violating the patient’s privacy or requiring their consent.
In order for data to be HIPAA de-identified, the data needs to be transformed so that the risk of de-identification is very small. Appropriate measures to achieve HIPAA de-identification of data include one of two methods:
- Safe Harbor
- Expert Determination
HIPAA Safe Harbor De-identification
The Safe Harbor method for making PHI HIPAA compliant for use in medical and policy studies is to remove specific identifiers within the dataset. These identifiers include:
- Geographic subdivisions smaller than a state
- All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates, including year, that are indicative of age)
- Telephone, cellphone, and fax numbers
- Email addresses
- IP addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Device identifiers and serial numbers
- Certificate/license numbers
- Account numbers
- Vehicle identifiers and serial numbers including license plates
- Website URLs
- Full face photos and comparable images
- Biometric identifiers (including finger and voice prints)
- Any unique identifying numbers, characteristics, or codes
HIPAA Expert Determination
This method of de-identification requires a covered entity to obtain an evaluation of a dataset by a qualified statistical expert that “the risk of re-identifying an individual from the dataset is very small” based on their “knowledge and experience of using generally accepted statistical and scientific principles and methods for removing or altering information to ensure that it is no longer individually identifiable.”
With this process, the covered entity must document, store, and make available (in the event of an audit or investigation) the method the expert uses to de-identify data. Though HIPAA does not specifically define what “very small” risk means, it is the expert’s role to apply this risk determination to the dataset’s context and the recipients’ ability to re-identify individuals with the data.
How technology can enable HIPAA de-identification
Though navigating the logistical, security, and regulatory requirements of handling PHI for research and policy analysis is often complex, organizations now have more tools to aid in the process of tokenizing, de-identifying, connecting, and controlling patient data. In addition to lowering the administrative burden of de-identifying data, technology platforms also make it easy to connect with other organizations to improve their trials and research initiatives while still protecting patient privacy.
In fact, the industry-leading platform in securely connecting patient level health data Datavant makes it easy to:
Connect health data from across disparate sources
When clinical trial data is more complete, researchers can obtain a more complete picture of their patients’ health and the potential impact of different related factors and share those results with partners.
Traditionally, finding a solution to connect, de-identify, share, and consolidate data while maintaining security and privacy is difficult. New technologies like those developed by Datavant make the process of connecting tokenized patient-level data seamless and automated.
For example, instead of having to identify and manage fragmented data sources with tools meant for other purposes or complete highly manual data management tasks themselves, providers and researchers can instead use Datavant to quickly connect their data to other related sources. Ultimately, this can help to:
- Combine social data with clinical datasets to develop more targeted studies and recommendations.
- Zero in on social factors that may influence health data to identify further research focuses or risk areas.
- Match records at the patient level across datasets while maintaining patient privacy.
- Participate in industry or academic research opportunities.
- Maximize the use and availability of existing data.
- Add more context to your datasets through third-party data sources.
- Fulfill release of information requests.
Control access to data internally and externally
Having the peace of mind to connect and share datasets with other organizations only comes when the trust that the platform you are using to facilitate the process puts privacy and security first.
This is why Datavant’s design includes the latest security controls and protections, allowing PHI to protect patient privacy and meet HIPAA’s Security Rule standards. In fact, Datavant gives each organization the precise ability to tightly control access to their datasets and share data with internal and external partners.
Find the right real-world data partner to connect with
Solving the problem of data fragmentation starts by connecting datasets with the clinical researchers, policymakers, and providers who need it. With Datavant’s data ecosystem, healthcare providers can identify, safely connect with, and securely share datasets to enhance their research using access to more than 600 data sources.
Types of data that are represented in the Datavant ecosystem include:
- Medical claims
- Patient health records
- Lab data
- Consumer information
- Social determinants of health
- Specialty pharmaceutical data
Whether pulling from datasets to overlap with their own data or compiling information from existing sources alone, researchers can achieve their goals at an accelerated pace with an easier way to securely connect data.
Maintain data compliance and ensure privacy
There are no shortcuts to handling PHI de-identification and tokenization properly.
But Datavant gives organizations the ability to streamline the process from end to end with the support of trusted privacy-preserving technology and services delivered by Privacy Hub. Built upon decades of experience in analytical methods and compliance, Privacy Hub simplifies, standardizes, and accelerates the process of de-identifying and tokenizing data and managing an organization’s entire ecosystem of datasets in order to protect patient privacy and improve data connectivity.
Bringing it all together
As the digitization of health data continues, organizations that can successfully meet their patient privacy requirements and leverage their data effectively are laying the foundation for tomorrow’s opportunities. In addition, they are supporting the overall advancement of their field.
Datavant helps organizations find this balance, providing tools like Switchboard, to help support data connectivity with internal and external stakeholders, and Privacy Hub, which accelerates HIPAA-compliant de-identification. In fact, Datavant already supports over 2,000 configured, tokenized, and uploaded datasets, comprising the nation’s largest health data ecosystem created to de-identify and connect health data.
A team of independent, qualified, and efficient analysts are available to support and streamline HIPAA-compliant health data connectivity so your team can focus more time and resources on what it does best.