De-identification & Expert Determination
As the amount of available and demand for data increases, organizations require effective processes, techniques and governance to remove and protect personal information. Effective "de-identification" is the tool that can provide such protection.
De-identification is the process of removing identifying information from a data set so that an individual's data cannot be linked to the specific individual. The de-identification reduces the privacy risk associated with collecting, processing, maintaining, analyzing, distributing or publishing information.
De-identification balances the goal to share personal identifiable information with or without health information while protecting the privacy of the person. De-identification standards of include data tokenization and HIPAA Privacy Rule to govern protected health information.
Data Tokenization is the method by which sensitive data is substituted, masked, redacted or algorithm generated to name a few. All have its benefits, however, the most efficient and widely used is algorithm generated tokenization with an integrator. The integrator's roles maintains the tokenization key firewalled from all parties to assure no tokenized data can be re-engineered. Essentially with out the token identifier key no personal information can be directly linked.
Albeit data tokenization sounds full-proof, almost all companies, legal advisors, statisticians, require a further step to assure privacy is upheld as well as to meet or exceed Privacy & FTC Act and HIPAA Privacy Rule. These rules govern both PII and PHI. Personal Identifiable Information (PII) is information when used alone or in combination can identify an individual. Protected Health Information (PHI) is individual identifiable health information, including demographic information, which relates to health and or healthcare.
PII and PHI standards almost always perform data tokenization but then take further steps to assure the risk of re-identification is statistically insignificant. PII considered sensitive data which is removed, modified, masked or de-identified includes but is not limited to: name, social security, driver license, address, credit card, passport, financial information. Non-sensitive or indirect PII is linkable and is de-identiifed, examples of non-sensitive PII include but not limited to: zipcode, race, ethnicity, gender, date of birth, place of birth, religion.
PHI is information related to health and may include PII. HIPAA Privacy Rule sets a de-identification standard that health information is not individually identifiable and the entity has no reasonable basis to identify an individual. The de-identification standard provides two methods, Safe Harbor and Expert Determination. Safe Harbor requires removal of 18 types of identifiers. Expert Determination, applies statistical and or scientific principles to assure a very small risk that anticipated recipient could identify the individual.
Expert determination method require the covered entity document the methods and results of the analysis to justify the risk for re-identification of PHI is very small alone or in combination with other information.
In summary, as information and demand for information increases, organizations need to consider de-dentification and expert determination where any PII or PHI data exists. Best practice recommendations for de-identification include:
- Patient Tokenization & Integration Management,
- Expert Determination with Methods & Results Documentation, and
- Privacy Training.
To support organizations to help people and patients our core functional services to enable such benefits include:
Integration Management of Patient Tokenization: We become the third (3rd) party integrator to assure no-one organization has the key or can re-engineer to re-identify.
Expert Determination with methods and results documentation: We offer expert determination recommendation including consultation, statistical analysis ensuring very small risk of re-identification, final report based on the data, and repeatable platform processes to output expert determination documentation for each future deliverable. Expert determination service available for data PHI and PII governed by HIPAA and Privacy Act.
Privacy Training: Privacy training is offered to ensure your entire employee and extended team is aware of all privacy guidelines set forth by applicable Privacy laws in USA, EU and other world regions. Training provides an understanding of privacy principles and law, de-identification principles and process, and risk.