Datavant promotes the flow of health information for the improvement of public and patient health outcomes. Inherent to the success of Datavant’s mission is the handling of patient health and health-related information. Holders of data can use Datavant tools to securely share data with each other, or can use Datavant to assist them in exchanging this information. Except where indicated otherwise, this notice applies to the work Datavant does in-house to assist partners and clients with their de-identification, linking, and dataset maintenance.
Datavant understands the importance of being a responsible steward of sensitive information, which includes transparency about Datavant’s in-house data services and the ways in which Datavant processes and discloses data that is shared with us.
Information Datavant manages
Datavant generally receives and manages three categories of health and health-related data: personally identifiable information, non-personally identifiable information, and de-identified information. At Datavant, and as used in this Data Use Policy, we define these categories accordingly:
- Personally identifiable information is data that can identify a single person. This includes but is not limited to a person’s name, address, email address.
- Non-Personally Identifiable Information is information that may be associated with a data record, such as a diagnosis code or blood type, but it is not typically unique to a single person and cannot be used alone to identify an individual directly or indirectly.
- De-identified information is data that has been substantially altered so that it cannot reasonably be used to identify a person’s identity even if it refers to a single individual. The Datavant tokens, which are algorithmic and irreversible transformations of personal information, and the Datavant ID, which is a randomly generated pseudonym for an individual, are both examples of de-identified information.
Datavant receives a variety of data types that fall into the three categories defined above, including demographic information, behavioral information, medical data, and non-medical health-related data.
Datavant may receive health data that is covered by the Health Insurance Portability and Accountability Act (HIPAA). Any Protected Health Information (PHI) that Datavant manages for a covered entity – a hospital, health insurance company, or health care provider – is regulated by HIPAA. Datavant is permitted to handle protected health information only on behalf of the covered entity as its business associate and only in accordance with the HIPAA obligations that apply to Datavant as a business associate and contractual obligations imposed on Datavant by the relevant covered entity.
Because Datavant offers on-premise versions of its de-identification and linking software, Datavant also keeps a fourth category of information: usage data about Datavant’s partners’ and clients’ use of the Datavant software. This metadata may contain information about a partner’s file, but it does not contain partner confidential information or patient personal information. Datavant uses the metadata to improve the performance of Datavant’s software and to facilitate Datavant’s product and business operations, including to assess licensing and usage fees and to detect fraudulent or suspicious activity.
How Datavant receives information
Datavant receives personally identifiable and de-identified information directly from clients and partners who share the information in order for Datavant to de-identify or store the datasets on their behalf. Datavant may also receive de-identified information from data partners or clients who want Datavant to store their de-identified datasets and make them available as needed to other partners.
Datavant may also at times acquire personally identifiable or de-identified information from third party or public data sources for the purpose of augmenting and/or improving Datavant’s services. Datavant evaluates data it acquires from other sources to help ensure it was collected with consumer consent and in accordance with all applicable laws and regulations. This evaluation is designed to confirm that the acquired data may be used for Datavant’s intended purposes. Any acquired data is managed with the same care Datavant applies to partner data.
Datavant does not collect any health information directly from patients.
How Datavant uses data
Datavant’s facilitates the flow of health data and health-related information through its three services: de-identification, linking, and escrow.
- De-identification – Datavant offers the ability to convert personally identifiable health datasets into datasets that do not identify individual patients but can still be used for research, analytics, and healthcare services. Datavant incorporates the work of statisticians to help ensure that de-identified data is statistically irreversible. Datavant’s de-identification methodology is designed to strip personally identifiable information in the dataset, adjust any non-personally identifiable information that could be used to identify an individual, and generate a Datavant token that is a consistent but unidentifiable and irreversible representation of the individual.
- Dataset Linking – Datavant enables the joining of datasets between organizations through the Datavant token. These tokens, which are consistent but unidentifiable and irreversible entity representations, can be translated between client datasets in order to link an individual’s records together without using any of their personally identifiable information.
- Escrow – Datavant assists clients with data storage and distribution upon request. Clients may use Datavant’s escrow service to store and secure their datasets. Datavant handles and/or processes client data only at the client’s direction.
How Datavant discloses information
Datavant discloses de-identified client data to clients and partners as part of its services. When Datavant discloses this data, it does so on behalf of the data source and in accordance with contractual and regulatory constraints.
Datavant does not disclose personal information as part of its services. However, Datavant reserves the right to disclose personal information to legal authorities if it is required to do so by law or in response to information requests from government authorities.
Any information that Datavant acquires from third parties may be used by Datavant for any commercial purpose in accordance with all applicable laws and regulations and subject to any licensing obligations or use constraints imposed by the data source and Datavant’s company policies. At this time, Datavant offers de-identified third party information and uses third party personal information only to improve Datavant’s services, including but not limited to internal testing for improving the de-identification methodology and linking solution.
Datavant retains client data until the termination of the client contract or until otherwise directed by the client. In some cases, Datavant has retained contractual rights to the data post-termination and is permitted to use it in accordance with the data use agreement, corporate policy, and any regulatory constraints that may apply.
Datavant retains third party data for as long as there is a business need or purpose.
How we protect information
Datavant adheres to industry security standards and privacy best practices. It employs reasonable and appropriate technical, administrative, and physical safeguards designed to protect the information in its care from loss, misuse, and unauthorized access, disclosure, and alteration.
Datavant has implemented an information security program to monitor and control Datavant’s infrastructure and respond promptly and efficiently to security events. It has implemented an information privacy program to oversee the mitigation of foreseeable risks in the processing and retention of sensitive information.
Datavant also uses information in ways that are compatible with the purposes for which it was collected. Datavant works with its partners and clients to understand the origin of their data, the notices and consent under which it was collected, and the corporate policies that govern its management, sharing, and disclosure. Datavant respects these limitations – in addition to all applicable laws and regulations – to ensure that Datavant processes, manages, and employs data in accordance with the promises and authorizations made at the time of collection.
Changes to this notice
This policy may be updated periodically without prior notice to ensure it aligns with Datavant’s services and accurately reflects Datavant’s practices with respect to information under its control.
Questions, comments, or concerns regarding this notice should be communicated to Datavant’s Data Protection Team at firstname.lastname@example.org.