NACDD engages Privacy Analytics for plans to share patient data with 7000+ chronic disease professionals, while protecting privacy

NACDD engages Privacy Analytics for plans to share patient data with 7000+ chronic disease professionals, while protecting privacy

Dashboard to provide public health users with better, faster actionable insights for addressing chronic disease

When the National Association of Chronic Disease Directors (NACDD) planned to publish data dashboards with visualizations showing chronic disease prevalence, it considered potential challenges. To be valuable at the local level for meaningful public health actions, the dashboards needed to provide data at the ZIP code level—a more granular view than what is allowable under the Safe Harbor provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). NACDD decided to engage with privacy experts to establish that the chance of identifying any individual within the data would be “very small” and to support more robust, public facing data availability. Privacy Analytics worked with NACDD, providing guidance on how to meet the highest standards of privacy protection.

The Challenge

Publishing disease data at the ZIP code level

NACDD manages the Multi-State EHR-Based Network for Disease Surveillance (MENDS), generating estimates of chronic disease measures at the national and local levels. The network leverages data from electronic health records (EHRs) and provides information vital to promoting health and reducing the burden of chronic disease. MENDS includes 5 partner sites that leverage EHR data from approximately 91 health system and clinic partners and represents more than 10 million patients across the United States.

In furthering the transparency goals of its funder, the Centers for Disease Control and Prevention (CDC), NACDD planned to publicly share dashboards of aggregated, population-weighted prevalence estimates. Previously, these data were only accessible to partners—specifically, authorized state and local health departments working with MENDS data contributors under data privacy and security agreements. Weighted data that will be published can be used by more than 7000 chronic disease professionals in state, tribal, and territorial health departments; non-profit organizations; academia; and private industry. And, as a result, NACDD would be achieving one of its data modernization goals under the CDC’s Data Modernization Initiative, which aims “to get better, faster, actionable insights for decision-making at all levels of public health.”

"Privacy Analytics were very accommodating. Our input was reflected in the end product."

Kate Hohmann,

Associate Director for the Center for Public Health Leadership at NACDD

Data availability at the ZIP code level is especially important to local health departments, as this information provides critical insights into high-risk communities and subpopulations that can guide public health decision-making and interventions to improve health outcomes. However, even though the data would be aggregated, data provided at the ZIP code level would not comply with HIPAA’s Safe Harbor provision. NACDD asked Privacy Analytics to make an Expert Determination that people could not be identified in the data, as required by HIPAA. Beyond NACDD’s own need to comply with privacy regulations, the organization sought to assure its data contributors that the privacy of people in the data release would be strongly protected.

The Solution

A roadmap for compliance

Privacy Analytics’ senior data scientists tackled the assignment on two fronts. First, they did a risk determination, assessing the likelihood that individuals could be identified in the data. Through this work, the data scientists were able to recommend an implementable de-identification strategy to protect individuals in the data. This de-identification strategy included a recommended minimum cell size (known as a cell-size rule), which is the minimum number of people represented in an aggregation. For example, a cell-size rule might dictate that data include at least 15 individuals when reporting on the number of males with hypertension for a given parish in the state of Louisiana.

Gain confidence to use and share sensitive data

Find out how our advisory services can help you safely leverage data derived from information about people. Watch this 15-minute webinar.

Second, they sought to identify ways in which the de-identification strategy could be circumvented. Would it be possible to compare successive data releases over time to learn about individuals or small groups? Could someone look at the data in different ways to uncover values hidden through the de-identification strategy? Privacy Analytics provided guidance to avoid such attacks and to ensure that the data continues to be protected as it evolves over time.

Kate Hohman, Associate Director for the Center for Public Health Leadership at NACDD, was grateful for the transparency provided by Privacy Analytics. “They explained clearly how they planned to work, and as the project neared completion, we were able to ask questions and provide comments,” she said. “They were very accommodating. Our input was reflected in the end product.”

The final report gave NACDD guidelines for how the data could be presented safely and Privacy Analytics walked through several illustrative examples to explain where there were hidden risks. Hohman continued, “I was able to learn a lot through their continued support and detailed explanations.”

The Results

Meaningful data to guide health programming decisions

Privacy Analytics’ guidance has made it possible for NACDD to proceed with developing its dashboards for public release. These data, featuring chronic disease prevalence estimates and related variables, will be welcomed by public health professionals, healthcare providers, and community organizations alike to aid their decision making.

Public health decisions are often based on self-reported patient data that may be outdated and not include clinical details (e.g., blood pressure measurements). EHR-based distributed networks, like MENDS, can complement traditional surveillance with timely, reliable prevalence estimates. As a result, public health professionals will be able use the detailed and granular information at the ZIP code level to allocate their limited resources most effectively, develop programs for specific audiences, evaluate the impact of their interventions, and continually strengthen the impact. In addition, the data will give provider health systems/clinics a broader perspective of the health status of their communities beyond their own patient population.

NACDD shared a summary of Privacy Analytics’ report with its data contributors and contracted partner sites to emphasize the care being taken to protect the privacy of people represented in the data. The work that Privacy Analytics did in collaboration with NACDD will help to provide these partners with confidence in their decision to share the data for public health purposes. When the dashboards are released publicly, they will also bear a statement attesting that the data has been de-identified in accordance with HIPAA standards.

Hohman appreciates what she learned through working with Privacy Analytics. She added, “It was illuminating for us as an organization to understand the process. And, we have a partner in Privacy Analytics whom we can – and will – engage in the future as needed. After a period of time, the data and what we do with it may change, in which case, we’ll need to call upon Privacy Analytics to refresh their analysis.”

Archiving / Destroying

Are you unleashing the full value of data you retain?

Your Challenges

Do you need help...

OUR SOLUTION

Value Retention

Client Success

Client: Comcast

Situation: California’s Consumer Privacy Act inspired Comcast to evolve the way in which they protect the privacy of customers who consent to share personal information with them.

Evaluating

Are you achieving intended outcomes from data?

Your Challenge

Do you need help...

OUR SOLUTION

Unbiased Results

Client Success

Client: Integrate.ai

Situation: Integrate.ai’s AI-powered tech helps clients improve their online experience by sharing signals about website visitor intent. They wanted to ensure privacy remained fully protected within the machine learning / AI context that produces these signals.

Accessing

Do the right people have the right data?

Your Challenges

Do you need help...

OUR SOLUTION

Usable and Reusable Data

Client Success

Client: Novartis

Situation: Novartis’ digital transformation in drug R&D drives their need to maximize value from vast stores of clinical study data for critical internal research enabled by their data42 platform.

 

Maintaining

Are you empowering people to safely leverage trusted data?

Your Challenges

Do you need help...

OUR SOLUTION

Security / compliance efficiency

CLIENT SUCCESS

Client: ASCO’s CancerLinQ

Situation: CancerLinQ™, a subsidiary of American Society of Clinical Oncology, is a rapid learning healthcare system that helps oncologists aggregate and analyze data on cancer patients to improve care. To achieve this goal, they must de-identify patient data provided by subscribing practices across the U.S.

 

Acquiring / Collecting

Are you acquiring the right data? Do you have appropriate consent?

Your Challenge

Do you need help...

OUR SOLUTIONS

Consent / Contracting strategy

Client Success

Client: IQVIA

Situation: Needed to ensure the primary market research process was fully compliant with internal policies and regulations such as GDPR. 

 

Planning

Are You Effectively Planning for Success?

Your Challenges

Do you need help...

OUR SOLUTION

Build privacy in by design

Client Success

Client: Nuance

Situation: Needed to enable AI-driven product innovation with a defensible governance program for the safe and responsible use
of voice-to-text data under Shrems II.

 

Join the next 5 Safes Data Privacy webinar

This course runs on the 2nd Wednesday of every month, at 11 a.m. ET (45 mins). Click the button to register and select the date that works best for you.