January 2018

HIPAA Challenges: Governance Efforts Shape Reidentification Risks
By Pamela Neely Buffone
For The Record
Vol. 30 No. 1 P. 6

Access to detailed patient data is a main driver behind innovations in treatment methods, drugs, and medical devices. But restrictions exist on accessing these data; they must be deidentified before they can be used for secondary purposes. As a result, organizations with access to such data must have policies and procedures in place to ensure that patient privacy is protected.

Deidentification is a process used to remove any identifying attributes from data, reducing the risk to an acceptably small level that an individual can be reidentified. Deidentification should be risk based to account for the specific disclosure context. Risk-based anonymization methods, including the HIPAA Privacy Rule, are consistent with recommendations from governmental regulatory bodies in Europe, Canada, and the United States.

Sophisticated tools and technologies are available to support deidentification as well as to automate and integrate risk measurement. Integrating risk measurement into a technological solution enables data utility to be optimized for the disclosure context.

While technology can effectively deidentify data, there also needs to be an effective governance framework at the enterprise level. If an organization applies technology to only anonymize data, it misses out on a vital area of the overall strategy, one that includes the people and decisions behind the solution and the processes and procedures that instill consistency and rigor while allowing for a wide range of data uses.

The governance framework consists of three pillars: people, processes, and technology.

People
The people behind the framework are part of a network of decision makers, knowledge workers, and implementers who bring the framework to fruition and apply its tenets. The "people pillar" includes which method of deidentification is needed and for which data set. Approval mechanisms are required and include managers who understand the acceptable uses of patient data and the ethical and reputational factors involved.

Also important is the creation of a standardized, sustainable training and knowledge management program. Training should include regulatory monitoring and change management, both important for regulatory compliance. Sophisticated training is available in the marketplace and can be customized to meet specific needs.

Deidentification processes need to be transparent to internal and external stakeholders. Good communication supports transparency and can improve the data consumer experience while promoting patient trust. Patients, analysts, and regulators must understand how privacy is being protected across a spectrum of circumstances. If a data breach occurs, organizations need to be ready to respond, both with standard operating procedures and with defined escalation paths.

Processes
Processes need to be defined, documented, communicated, and widely understood. Effectively designed processes can optimize the deidentification program in practice, maintaining freedom of data use while ensuring privacy. The "process pillar" encompasses the following:

Standard operating procedures (SOPs). SOPs are already an intrinsic part of health care. Extending SOPs to the area of deidentification builds control into the deidentification governance framework. At a minimum, SOPs should encompass reidentification risk measurement, pseudonymization, risk-based deidentification (including classification of data elements as directly or indirectly identifying), and deidentified data use/access (including registration and authentication).

Business guidelines should exist to define how organizations handle requests for data; training, logging, reporting, and tracking of all data disclosures (including deidentification specifications); performance measurement; data use agreements; and monitoring and audits.

Data-sharing agreement templates. Effective deidentification involves understanding and managing data sharing and usage agreements. The agreement templates should include terms of use, required security controls, and contractual mechanisms such as rights to audit and data retraction. These agreements need to be actively managed to maintain compliance and support high-utility data disclosures to secure, well-controlled recipients.

Risk assessment and audit programs. Having criteria and checklists to assess and audit are simple methods to keep the complexities of risk assessment under control.

Centralized disclosure logging. Using a centralized logging system for tracking disclosures enables compliance to be demonstrated, audits to be performed, and performance to be measured over time. Each disclosure and risk measurement should be reported, logged, and centrally tracked with details on the dataset as well as the context.

Protocol tracking. Keeping track of user and recipient registration protocols allows organizations to map these to their overall risk assessment integration.

Workflow optimization. This is a key requirement of an efficient system. For example, integrating risk assessment into a case management solution that supports the customer experience can promote efficiency, performance, and effective control.
Workflows should be optimized to support intended data outcomes. Embedding tools, controls, and measures into deidentification workflows can drive efficiencies in support of these data outcomes.

Technology
The people and processes of a deidentification governance framework are supported and enabled by the selected technology. Choosing a technology that has been designed to work as part of a wider framework is the key to finalizing a successful deidentification program. The "technology pillar" encompasses the following:

Deidentification software. For enterprise solutions with large volumes of health data, automation through deidentification software is essential. Deidentification software must be part of the governance framework, but not as a distinct component. Rather, deidentification software sits within the framework as part of the overall strategy. It enables pseudonymization as well as a range of tactical outcomes such as generalization, suppression at multiple levels, date shifting, additive noise, and various types of masking.

Information security controls. Essential information security measures are an integral part of the technology used to implement deidentification. These measures should include robust authentication, key management, encryption, and identity assurance where appropriate.

Auditing events. The technology must have extensive audit and logging built in. In addition to supporting compliance reporting, auditing provides valuable system feedback and allows organizations to optimize a system once it is in production.

An effective deidentification governance framework is vital to create a strategy for using health data in a privacy-enhanced manner that considers reidentification risks as data volumes continue to grow exponentially. Implementing a successful deidentification program in practice requires a framework with all three pillars.

Help in creating this three-pillar governance structure is readily available in today's marketplace. Using the right tools to apply the people, process, and technology pillars as the foundation for a deidentification program will ensure a complete and holistic approach to managing reidentification risks while efficiently driving important outcomes from secondary uses of health data.

— Pamela Neely Buffone is director of product management at Privacy Analytics.