Data Use Policy

Datavant promotes the flow of health information for the improvement of public and patient health outcomes. Inherent to the success of Datavant’s mission is the handling of patient health and health-related information. Datavant tools enable data holders to securely share data with each other with privacy-preserving record linkage.

For most of Datavant’s services, Datavant does not receive any information about consumers (Datavant’s software is typically used on premise by its customers to support de-identification and privacy-preserving linking services).

Except where indicated otherwise, this notice applies to the work Datavant does in-house to assist partners and clients with de-identification, linking, and dataset maintenance.

 

Our Dedication to Patient Benefit

At Datavant, we believe that data fragmentation is one of the core reasons health outcomes have not improved with more technology over the last several decades. Answering questions such as “How many measles patients between age 5 and 10 exist in California,” “what is the 10-year survival rate of patients treated with a particular medication,” or “which physicians and treatments are most effective” require the use of data across many different institutions for analysis, but do not require a loss of patient privacy. Our mission is to allow the safe exchange of health data to help companies and researchers solve some of the most vexing challenges in healthcare.

 

Information Datavant manages

For most of Datavant’s services, Datavant does not receive any information about consumers (Datavant’s software is typically used on premise by its customers to support de-identification and privacy-preserving linking services).

When processing data directly, Datavant may receive and manage three categories of health and health-related data on behalf of our clients and partners: personally identifiable information, non-personally identifiable information, and de-identified information. At Datavant, and as used in this Data Use Policy, we define these categories accordingly:

  1. Personally identifiable information is data that can identify a single person. This includes but is not limited to a person’s name, address, and email address.
  2. Non-Personally Identifiable Information is information that may be associated with a data record, such as a diagnosis code or gender, but it is not typically unique to a single person and cannot be used alone to identify an individual directly or indirectly.
  3. De-identified information is data that has been substantially altered so that it cannot reasonably be used to identify a person’s identity even if it refers to a single individual. Datavant’s “tokens,” which are encrypted, cryptographic one-way hashes of transformations of personal information, arean example of de-identified information as defined by the Health Insurance Portability and Accountability Act (HIPAA).

Datavant receives a variety of data types that fall into the three categories defined above, including demographic information, behavioral information, medical data, and non-medical health-related data.

Datavant may receive health data that is covered by HIPAA. Any Protected Health Information (PHI) that Datavant manages for a Covered Entity – including a hospital, health insurance company, or health care provider – or for a Business Associate of a Covered Entity is regulated by HIPAA. Datavant may handle PHI on behalf of aCovered Entity or a Business Associate only as its Business Associate and in accordance with the HIPAA obligations that apply to Datavant as a Business Associate and contractual obligations imposed on Datavant by the relevant Covered Entity or Business Associate.

Because Datavant offers on-premise versions of its de-identification and linking software, Datavant also keeps a separate category of non-health-related information: usage data about Datavant’s partners’ and clients’ use of the Datavant products. This metadata may contain information about a partner’s data files, such as the fields present, but it does not contain patient or provider personal information. Datavant uses the metadata to improve the performance of Datavant’s software and to facilitate Datavant’s product and business operations, including to assess licensing and usage fees and to detect fraudulent or suspicious activity.

 

How Datavant receives information

Datavant receives personally identifiable and de-identified information directly from clients and partners who share the information in order for Datavant to de-identify or store datasets on their behalf. Datavant may also receive de-identified information from data partners or clients who want Datavant to manage their de-identified datasets. In the course of assisting partners with data management, Datavant may share a client’s de-identified datasets at the client’s direction..

Datavant may also at times acquire personally identifiable or de-identified information from third-party or public data sources for the purpose of augmenting and/or improving Datavant’s services. Any acquired data is managed with the same care Datavant applies to partner data.

Datavant may, from time to time, receive personal information from consumers who provide such information through Datavant’s website for purposes of employment or for other services provided by the website. This information is not incorporated into Datavant’s products or services and is governed by Datavant’s web privacy policy. To see Datavant’s web privacy policy, click here.

 

How Datavant uses data

Datavant facilitates the flow of health data and health-related information through its three services: de-identification, linking, and escrow.

  1. De-identification – Datavant offers the ability to convert personally identifiable health datasets into datasets that do not identify individual patients but can still be used for research, analytics, and healthcare services. Datavant incorporates the work of statisticians to help ensure that de-identified data is statistically irreversible. Datavant’s de-identification methodology is designed to strip personally identifiable information in the dataset, adjust any non-personally identifiable information that could be used to identify an individual, and generate a Datavant token that is a consistent but unidentifiable and irreversible representation of the individual.
  2. Dataset Linking – Datavant enables the joining of datasets between organizations through Datavant “tokens.” These tokens, which use an encrypted cryptographic hash in order to create consistent but unidentifiable and irreversible entity representations, can be matched between client datasets in order to connect data about a de-identified patient without indicating who the patient is. Additionally, Datavant may provide “bridges” that indicate how various tokens and pseudonymous identifiers match.
  3. Escrow – Datavant assists clients with data storage and data management services  upon request. Clients may use Datavant’s escrow service to store and secure their datasets. Datavant handles and/or processes client data only at the client’s direction. In some cases and only at the direction of the data provider, Datavant may share or license data sets on a partner’s behalf, perform basic queries on the datasets (or allow our partners to do so), or provide other services to the data provider.

 

How Datavant discloses information

Datavant may disclose client data to clients and partners as part of its services. For example, our clients may request that we match de-identified records from laboratory tests with de-identified records about patients’ long-term outcomes to share with an analyst to help determine the safety and efficacy of a particular device or drug. When Datavant discloses this data, it does so in accordance with contractual and regulatory constraints. In most (though not all) cases, Datavant is acting as a service provider for its clients, and is typically (though not always) disclosing data that has been de-identified (as defined by HIPAA).

Datavant may disclose personal information to legal authorities if it is required to do so by law or in response to information requests from government authorities.

Any information that Datavant acquires from third parties may be used by Datavant for any commercial purpose in accordance with all applicable laws and regulations and subject to any licensing obligations or use constraints imposed by the data source and Datavant’s company policies.

 

Data retention

Datavant may retain client data until the termination of the client contract or until otherwise directed by the client. In some cases, Datavant retains contractual rights to the data post-termination and is permitted to use it in accordance with the data use agreement, corporate policy, and any regulatory constraints that may apply.

Datavant may retain third party data for as long as there is a business need or purpose, subject to any applicable contractual and regulatory constraints.

 

How we protect information

Datavant adheres to industry security standards and privacy best practices. It employs reasonable and appropriate technical, administrative, and physical safeguards designed to protect the information in its care from loss, misuse, and unauthorized access, disclosure, and alteration.

Datavant has implemented an information security program to monitor and control Datavant’s infrastructure and respond promptly and efficiently to security events. It has implemented an information privacy program to oversee the mitigation of foreseeable risks in the processing and retention of sensitive information.

Datavant also uses information in ways that are compatible with the purposes for which it was collected, as specified in the agreements Datavant has with data sources.

 

Information Access

For most of Datavant’s services, Datavant does not receive any information about consumers (Datavant’s software is used on premise by its customers to support de-identification and privacy-preserving linking services). In some cases, Datavant receives personal information about consumers from our clients and partners.

We provide all consumers with a right to access personal information that has not been de-identified. Consumers may request their data by sending us an e-mail at consumer-requests@datavant.com. To protect consumer privacy and security, we may take reasonable steps to verify a consumer’s identity before granting access.

 

Opting Out

If you would like to opt out of your data being managed by Datavant, please submit a request through our Consumer Request form. To protect your privacy and security, we will take reasonable steps to verify your identity before processing your request.

Special Notice to California Residents

Under the California Consumer Privacy Act (2018) (‘CCPA’), California residents have rights regarding access to, sale of, and deletion of “personal information”.  If you are a California resident, and you would like to exercise your rights under CCPA, please do so through our Consumer Request form. Datavant will not discriminate against you for exercising any of your rights under CCPA.

Please refer to the sections above titled “Information Datavant manages”, “How Datavant uses data” and “How Datavant discloses information” for the categories of personal information Datavant collects and discloses.

Your Access Rights
You have the right to request Datavant to disclose information to you our collection and use of your personal information over the last twelve (12) months.  Once we receive a Verifiable Consumer Request we will disclose to you:

  • Categories of information collected
  • Categories of sources of information
  • Purpose for collecting information
  • Specific pieces of information collected
  • Any sale, or transfer of information

Your Deletion Rights
You have the right to request Datavant to delete any of your personal information that we collected, subject to some exceptions. After we receive a Verifiable Consumer Request we will delete your personal information from our records.

Your Opt-out of Sale Rights
Datavant does not sell personal information.

 

Changes to this notice

This policy may be updated periodically without prior notice to ensure it aligns with Datavant’s services and accurately reflects Datavant’s practices with respect to information under its control.

Questions, comments, or concerns regarding this notice should be communicated to Datavant’s Data Protection Team at dataprotection@datavant.com.