Privacy Analytics Certification services help health care organizations evaluate the re-identification risk of personal information using sophisticated threat models and scenarios. Additionally, Privacy Analytics provides auditable, detailed Risk Determination certifications based on our findings.
THE BENCHMARK FOR DE-IDENTIFICATION AND DATA MASKING
The Privacy Analytics methodology is based on the HIPAA Expert Determination De-identification Standard, and is similar to those outlined by the Institute of Medicine, PhUSE and HITRUST Alliance de-identification standards. Even for organizations that are not Covered Entities, the HIPAA standard is a strong source of guidance on anonymization, de-identification and data masking.
TYPES OF CERTIFICATION
Re-identification Risk Determination (RRD)
In a Re-identification Risk Determination, Privacy Analytics reviews an already de-identified dataset and certify that the data is at a low enough level of risk to be safely released for the intended purpose. If the risk is low enough, we provide a certification and report; if not low enough, we provide recommendations on what fields need to be changed and in what way.
Re-identification Risk Determination and Anonymization (RRDA)
A Re-identification Risk Determination and Anonymization includes the risk determination we previously mentioned, but also includes the anonymization (or de-identification) of the dataset, so your organization can be confident that the data being shared is HIPAA-compliant and at an acceptable level of risk.
Conceptual Re-identification Risk Determination (CRRD)
The conceptual approach may suit customers that are able to implement a de-identification risk strategy on their own. A CRRD is very similar to an RRD, where we review the dataset schema attributes for risk of re-identification and certify that it is low risk, however in this case we do not have the actual data. This process is ideal for organizations that need to verify best practices or have strict controls over their data.
1. Determining the appropriate threshold for your dataset
2. Measuring the actual re-identification risk
3. Producing a re-identification risk determination report
“It’s insurance that we’re not going to inadvertently make a disclosure that we shouldn’t.”- Dr. Ann Sprague, Better Outcomes Registry Network (BORN) Scientific Manager