The General Data Protection Regulation is a European Union law that was implemented May 25, 2018, and requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory.
On November 26, 2012 Health and Human Services (HHS) Office for Civil Rights (OCR) issued“Guidance Regarding Methods for De-identification of Protected Health Information (PHI) in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule”.
This communication outlines methods for de-identification of protected health information (PHI) when it is being used for secondary purposes. Some other examples of secondary usage being addressed by our service:
* Publishing results of publicly funded clinical trials or other government data.
* Performing analysis on data that is contained within a data warehouse.
* Collections of site specific health related data that is loaded into a centralized repository for the purpose of disease surveillance, monitoring
compliance, and service planning.
* Patient data captured from medical devices and collected in a centralized repository.
* Utilization of data from production environments for the purpose of functional or performance testing by internal teams and outsourced
software development teams.
The average lost business cost from a data breach is approximately $3.8M, according to studies done by IBM. Healthcare organizations and their business associates that create, store, transmit, or receive electronic PHI (ePHI) often use this data for some of the secondary purposes listed above. There is very convincing financial business case made for these organizations to anonymize and de-identify ePHI when using it for secondary purposes because improper anonymization or lack of anonymization can be very costly and contribute to data breaches.
While external cyber-attacks are always a concern with data breaches, studies have shown that the majority of data breaches are a result of negligence of internal team members, employee’s, vendors and contractors, or other third parties. This negligence happens because of malicious or careless actions. According to a 2015 study funded by IBM, the root cause of data breaches occurred based on the following percentages:
* 47% of data breaches happen because of Malicious insiders or criminal attacks.
* 29% of data breaches happen because of system glitches.
* 25% of data breaches happen because of human error.
Some industries have even higher damaging costs associated with data breaches. The overall data breach costs across all industries is $154 per affected individual. However, heavily regulated industries such as healthcare, education, pharmaceutical and financial services have a per individual data breach cost substantially above the overall average. For example:
* Financial Services per employee data breach damage cost is $215 per employee.
* Pharmaceuticals per employee data breach damage cost is $220 per employee.
* Education per employee data breach damage cost is $300 per employee.
* Healthcare per employee data breach damage cost is $363 per employee.
Some of these costs include the cost of breach notification in notifying your patients, customers, or employees, the loss of your database records, and the lost business costs. You may also experience a loss in customer churn from higher than normal turnover of customers, increased customer acquisition costs to gain new customers back, reputation and PR losses in your marketplace, and diminished good will. Not to mention, penalties from regulators performing HIPAA audits and inspections will impact your organization ultimately because of a lack of healthy anonymization and de-identification practices.
De-identification is mandated when using Protected Health Information (PHI) for secondary purposes without patient consent. The most common secondary uses of data include:
* Copying production databases and data files
* Quality assurance testing for both internal and external development teams
* Outsourced third-party health management services
* Using electronic medical records as a source of clinically relevant patient data for use in observational studies including Epidemiologic
studies, Health services research, Clinical studies and Clinical trials, etc.
At Info Incognito we believe that de-identification not only protects an individual's identity, but also plays a critical role in the future advancements of population health and quality of life improvements.
Unless patients have provided consent (which is often difficult or impractical to get) their personal information is protected and cannot be shared for any reason. But, after information is de-identified it’s no longer considered PHI and not subject to the HIPAA Privacy and Security Rules. Our secure data masking enables the important information sharing that’s necessary for ongoing healthcare advancements.
Leverage your data to help others live better lives. Schedule a call today to reduce risk and comply with confidence.
We have scalable solutions to deliver exactly what our clients need with speed and accuracy. Whether it’s consulting or custom software, we are the solution for your de-identification project needs:
* Review and Advice
* Actionable Recommendations