Healthcare organizations are required to perform a delicate balancing act between healthcare data protection and disclosure of high utility data to further research and innovation leading to better healthcare services. There will often be a trade-off between these two interests, as excluding or altering data in an effort to protect individuals’ privacy regularly comes at the expense of data utility.
Thankfully, the Health Insurance Portability and Accountability Act (HIPAA) provides guidance that prescribes what needs to be done to protect data privacy when disclosure of healthcare data is at issue. The legislation thus made a binding determination on what information must be excluded from a data set in order to sufficiently lower the risk of re-identification of individuals whose data is contained in the data set.
This blog post sets out the HIPAA Safe Harbour compliance requirements, presents Private AI’s approach to meet them, and illustrates this in a case study on how Private AI helped Providence to safely train conversational AI models on de-identified healthcare data. We conclude with an explanation of general non-technical principles that can be used to assess a data set from a re-identification risk perspective.
What is Considered Healthcare Data
Under HIPAA, protected health information (PHI) captures not only information that relates to an individual’s mental or physical health but also any personally identifiable information (PII) that appears alongside such health related information. For further details, refer to our blog post titled “What is PHI?”
HIPAA Safe Harbour Compliance
In healthcare, mismanaged data can result in massive fines and long-lasting damage to a company’s reputation. One way to mitigate fines and protect the institution’s reputation is to comply with HIPAA’s Safe Harbour rule.
Despite the name, compliance with this rule does not entirely protect against audits by Health and Human Services (HHS) or financial penalties in case of data breaches. Audits are, however, reduced in length and extent, and fines are lowered. In addition, compliance will add considerable protection against security incidents and data breaches. You can read about the important cost factor of regulatory compliance in our recent blog post Cost of a Data Breach.
The Safe Harbour rule lists 18 entities that need to be removed in order to de-identify healthcare data which can then be shared with a third party.
- – 164.514(2)(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
(A) Names
(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
(D) Telephone numbers
(L) Vehicle identifiers and serial numbers, including license plate numbers
(E) Fax numbers
(M) Device identifiers and serial numbers
(F) Email addresses
(N) Web Universal Resource Locators (URLs)
(G) Social security numbers
(O) Internet Protocol (IP) addresses
(H) Medical record numbers
(P) Biometric identifiers, including finger and voice prints
(I) Health plan beneficiary numbers
(Q) Full-face photographs and any comparable images
(J) Account numbers
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section [Paragraph (c) is presented below in the section “Re-identification”]; and
(K) Certificate/license numbers
Private AI identifies and redacts all 18 of these entities with higher than human accuracy and directly on premise, meaning that a healthcare organization’s data never leaves its environment. While building the system, Private AI recognized the need for robustness to optical character recognition (OCR) mistakes, grammar errors, and spelling mistakes. The following medical record displays these capabilities:
Case Study
To find out more about how Private AI has helped healthcare organizations become HIPAA compliant, download our healthcare case study.
Re-Identification Risk
Aside from the removal of the listed 18 entities from the data set, HIPAA’s Safe Harbour rule also requires that the regulated healthcare organization have no actual knowledge that the information, once disclosed, could be used alone or in combination with other information to identify an individual who is a subject of the information.
The HHS advises that the determination of actual knowledge has to be made with the particular anticipated information recipient in mind. For example, if the regulated entity knows that the data recipient has detailed information on an individual whose data is included in the data set, e.g., because he or she is a family member of the data recipient, and would be able to identify the individual despite all 18 entities having been removed from the data set, this would constitute actual knowledge under the Safe Harbour rule. Furthermore, if the regulated entity is made aware of the fact that the data recipient possesses technology that is able to re-identify individuals from the data set, this would likewise mean that the entity is not able to disclose the information to this recipient in a manner that is compliant with the Safe Harbour rule.
On the other hand, HHS also maintains that the general knowledge that such technology exists does not constitute actual knowledge in this sense. It must rather be assessed whether the particular data recipient has access to such technology.
Determining the re-identification risk is difficult enough when there is only one data recipient and the risk can be mitigated with data use or restricted access agreements. The task becomes that much harder when the data set is to be disclosed semi-publicly, i.e., to anyone with the requirement to register with the healthcare organization and to abide by certain terms of use, or publicly without any restriction. These three different release models need to be considered when assessing the risk of re-identification before disclosing a data set.
There are many more factors that need to be considered when determining the risk of re-identification of individuals whose information is to be disclosed in a data set. From a non-technical perspective, and without an attempt to be exhaustive, here are three general principles to be mindful of when evaluating a data set’s re-identification risk exposure:
1. Replicability
Information about an individual that is unlikely or impossible to change exposes the individual to a higher risk of re-identification if disclosed. Since information such as date of birth, blood type, or health card number are stable, they will consistently appear in records along with other information about the individual. This makes it possible to map different records about the individual on top of each other, combining different pieces of information about the individual and thus elevating the risk that a health record can be matched with directly identifiable information.
A person’s ZIP code, or blood pressure, on the other hand, are variable and hence may differ across different records containing information about the individual. Hence, such information is less risky to maintain in a health record that is supposed to be disclosed.
2. Date source availability
When considering the risk of re-identification, it is paramount not to only consider whether there is no identifiable information inadvertently left in the health data that is to be disclosed. It must also be determined what other data sources exist and are accessible to the data recipient which may be containing further information on the individuals whose information appear in the data set at issue. If these external data sources contain replicable information, it must be ensured that the data that is to be disclosed cannot be enriched with this information in a way that identifies the individuals.
Commonly available data sources containing replicable information are voter records, birth, and marriage registries. And you may have heard of this huge data repository called social media.
3. Distinguishability
The third principle under which to assess the re-identification risk is the distinguishability of the individual by means of the available data. Determining the distinguishing characteristics of an individual is not as straightforward as it may seem. The combination of 5-digit ZIP code, gender, and date of birth can uniquely identify 87 percent of the U.S. population, and features such as scars or rare diseases can also distinguish an individual fairly straightforwardly.
Conclusion
It will require considerable technical and statistical expertise to determine with certainty whether a data set is sufficiently de-identified for its disclosure to entail a low risk of re-identification. However, the identification and removal of PHI need not be difficult. Private AI can make this part of the task quick and effortless. To see the tech in action, try our web demo, or request an API key to try it yourself on your own data.