Risk Management using the HITRUST De-Identification Framework

Transcription

1 Risk Management using the HITRUST De-Identification Framework Dr. Khaled El Emam, CEO, Privacy Analytics Kimberly Gray, J.D., Global CPO, IMS Health

2

3 Why we de-identify One of most important, useful, and effective means to protect personal privacy is through de-identification of information. Where information has been de-identified according to reasonable and specified standards (such as the HITRUST de-id framework standards), the risks of re-identification, cybercrime, breaches, and identity theft for properly de-identified data are exceedingly small.

4 Benefits of de-identification frameworks Reduce data custodian uncertainty around what would be generally accepted practices for de-identification Improve actual de-identification methods used in practice in the field Set yardsticks for regulators to use when evaluating what is acceptable practice for de-identification Define a body of knowledge for deidentification practices which can lead to certification and accreditation of professionals Help establish a community of practice around common approaches for deidentification

5 De-ID frameworks promote accountability Codes of conduct based upon a specific industry and/or geography or any other combination - may offer a framework for organizations to innovate with data while still safeguarding individual privacy. Industry codes drive self-policing and the development of best practices. Accountability mechanisms clearly can play a useful role in promoting socially beneficial uses of big data while protecting privacy.

6 Beneficial uses of health data a real world example Research performed by Dr. Millie Long and colleagues: Sophisticated analysis of large databases representing a significant time span. Dependent on linking key data from disparate sources: IMS Health de-identified medical claims data, IMS Health de-identified filled-prescription data, government knowledge bases (also de-identified). Work was intended to spotlight previously undocumented interrelationships between inflammatory bowel disease (IBD) and a variety of other illnesses. Investigators findings are that patients with IBD also have a higher likelihood of developing bacterial pneumonia, pneumocystis pneumonia, herpes zoster, and a variety of skin cancers. These findings provide a factual basis for a higher degree of monitoring and caution by patients and clinicians alike.

7 Privacy Framework Legal authority to share data Data anonymization practices Data ethics review committee / process for anticipated analytics protocols (data uses) Privacy boards or other similar organizations that consider ethical repercussions are invaluable in a world where data analytics and modeling can impact individuals or even their family members. Structure to consider: include a privacy subject matter expert, an ethics expert, at least one layperson to represent the population at large, and a mix of internal and external (to the organization) members. Consider a governance model that would include both regular meetings (perhaps quarterly) and ad hoc meetings to address new/novel issues

8 Governance Assigning overall responsibility for the de-identification program De-identification policies and procedures Training of individuals responsible for de-identification Understanding data flows Transparency around de-identification practices Determination of when and where de-identification / risk assessment needs to be performed Monitoring regulatory changes that are relevant Re-identification response protocol Examination of overlapping datasets over time Regular external review

9 Re-Identification risk Properly de-identified information, while not 100% impossible to re-identify, requires substantial resources and technical skill to re-identify. The primary risk of re-identification of deidentified data comes through academic theory and technical testing of de-identified data and related efforts designed to break de-identified data.

10 Identity Disclosure

11 Stigmatizing Inferences

12 HIPAA and De-ID

13 Privacy / Data Quality Balance

14 Direct and Quasi (indirect) identifiers Examples of direct identifiers: Name, address, telephone number, fax number, MRN, health card number, health plan beneficiary number, VID, license plate number, address, photograph, biometrics, SSN, SIN, device number, clinical trial record number Examples of quasi (indirect) identifiers: sex, date of birth or age, geographic locations (such as postal codes, census geography, information about proximity about known or unique landmarks), language spoken at home, ethnic origin, total years of schooling, marital status, criminal history, total income, visible minority status, profession, event dates, number of children, high level diagnoses and procedures.i

15 Risk Measurement Set Risk Threshold Based on the characteristics of the data recipient, the data, and precedents, a quantitative risk threshold is set. Measure Risk Based on plausible attacks, appropriate metrics are selected and used to measure actual reidentification risk from the data. De-identification Process Apply Transformations If the measured risk does not meet the threshold, specific transformations (such as generalization and suppression) are applied to reduce the risk.

16 Data Release Context

17 Layers of Protection Contractual Controls Security & Privacy Controls Perturb Data

18 Measuring Risk DIRECT IDENTIFIERS INDIRECT IDENTIFIERS SENSITIVE VARIABLES OTHER ID Name Telephone No. Sex Year of Birth Lab Test Lab Result 1 John Smith (412) M 1959 Albumin, Serum Alan Smith (413) M 1969 CreaBne Kinase Alice Brown (416) F 1955 Alkaline Phosphatase Hercules Green (613) M 1959 Bilirubin < Alicia Freds (613) F 1942 BUN/CreaBnine RaBo Gill Stringer (954) F 1975 Calcium, Serum Marie Kirkpatrick Pay Delay (416) F 1966 Free Thyroxine Index Leslie Hall (905) F 1987 Globulin, Total Douglas Henry (416) M 1959 B-type NatriureBc pepbde Fred Thompson (416) M 1967 CreaBne Kinase Two quasi-idenbfiers matching in three cells within a dataset

19 Risk Model

20 Impact on Context Risk

21 Impact on Context Risk

22 Acceptable Risk

23 Example Workflow

24 Automation

25 Certified De-identification Expert Provides the knowledge to perform risk-based de-identification Some technical background would be needed to pass the exam Additional coaching on real data sets needed to meet the experience requirement

26 CerHfied De-idenHficaHon Expert (CDE) professional credenhal starhng May 2016 (course & exam)

27 QUESTIONS