As part of the HITRUST 2019 conference today, I attended a panel on De-Identification.
Here’s the panel:
- Ann Kimbol, Assistant General Counsel, HITRUST
- Sarah Lyons, Chief Operating Officer, Privacy Analytics
- Dr. Bryan Cline, Vice President of Standards and Analytics, HITRUST
De-Identification: Its Value to Businesses and How to do it Right – My Takeaways
Here are my takeaways from the panel:
- De-Identification is a process of removing personally identifiable information from data
- De-ID is useful for health research
- when done properly, De-Identified data falls outside the scope of regulations (e.g. GDPR, CA Consumer Privacy Act, Brazil Data Protection Act)
- Direct Identifiers: Name, address, telephone number, fax #, MR, SSN, email address, photograph., clinical trial record number
- Quasi-identifiers: sex, age, DOB, zip code, marital status, # of children
- Direct Identifiers vs Quasi-identifiers are important distinction
- Risks of re-identification: 1) data risk 2) context
- What constitutes an expert?: Education, experience, and HITRUST program for de-identification
- HITRUST De-Identification certifications: Certified De-Identification Associate (CDA) and Certified De-Identification Professional (CDP)
- There is no universally accepted scoring system
- There is a HITRUST framework for de-identification
- “The same data set can be de-identified in different ways.” (Sarah Lyons)
- Expert Determination Method: A person with appropriate knowledge and experience with generally accepted principles of De-Identification. Also involves a determination that the risk of identification is very small.
- HITRUST De-ID Framework: Governance, Documentation, Explicit ID of Data Custodian, External or Independent Scrutiny
HITRUST 2019 positions itself is the most comprehensive and definitive information risk management conference for privacy, security, and compliance professionals.
The conference is held at the Gaylord Texan Resort in Grapevine, Texas.