Third in a three-part series: “Patient privacy and healthcare data exchange: What privacy and compliance officers need to know to de-identify patient data and stay HIPAA compliant.“
Every company in the healthcare ecosystem looking to connect health data must have a way to ensure they are also preserving patient privacy and reducing risk of re-identification. That responsibility often lands with privacy and compliance officers.
In earlier posts, we addressed what it means to de-identify healthcare data, what’s involved in expert determination and how technology can make the process easier.
In this last installment, our focus is on three key criteria for evaluating privacy expert services and technology: data security, expertise and seamless integration between independent experts and technology.
- Data security
Data security is critical to any service or technology dealing with sensitive health data. HIPAA lays out security guidelines for organizations handling PHI (personal health information). Service providers may follow global, cross-industry standards and frameworks (such as ISO27001 or SOC2) or they may choose to adhere to healthcare-specific frameworks, like HITRUST CSF.
With a clear internal security framework in hand, it is easier to engage with vendors on how they can meet and align with the security safeguards that your organization needs to meet. Reputable vendors will be open to transparent conversations about their security strategy and what they’re doing to protect data.
Another important factor is understanding what data experts will need to access and process for their analysis. The vendor should enable the proper controls and access to your data and follow the principle of “least access.” For example, technologists monitoring data quality would have less access, defined by their role, than experts who may need more privileges for the purposes of viewing and analyzing data.
- Expertise
Privacy experts working in expert determination are highly skilled. They have backgrounds in data science, statistics and mathematics and often have advanced degrees in these areas. Repeated engagement with healthcare datasets enables qualified experts to understand use cases, see patterns, detect risks and make recommendations that clients can trust.
These experts create complex reports and analytics dossiers and should be able to clearly communicate the pros and cons of certain rules and requirements. This allows clients to obtain expert determinations that are fit-for-purpose and meet HIPAA compliance.
- Seamless integration
Even today, time-consuming email exchanges are often needed to engage in a single expert determination process. In addition, privacy experts can be disconnected from the remediation process used to apply their privacy rules to a dataset to render it de-identified, making the whole process longer and cumbersome.
New technologies are making it possible to seamlessly interface with experts and automated remediation. These advanced platforms also allow experts to remain independent. The platform will bring over rules from the expert determination report and apply them with automated remediation. Experts then verify the remediations and deliver final certifications at speed and scale.
Imagine this scenario: A simple login allows you to upload a dataset and instantly communicate with a human privacy expert. The expert communicates directly with you and works within the platform to complete an expert determination report. Remediations are automatically initiated in the technology platform as part of the same workflow. The expert is able to audit the remediations and certify your dataset as de-identified for third party data exchange. All this happens in a secure and transparent environment, allowing you to easily track and manage compliance for single or multiple datasets simultaneously.
In conclusion, when looking for expert determination, seek out privacy experts who make it easy to engage through a technology platform with the highest data security standards.
- In case you missed part 1: What does it mean to “de-identify” data?
- And part 2: 5 considerations for getting Expert Determination right