It’s been 15 years since the U.S. Department of Health and Human Services (HHS) began enforcing the Health Insurance Portability and Accountability Act’s “Privacy Rule,” which set forth two main strategies to de-identify, and thereby legally use and disclose, protected data. The first is what’s called the “Safe Harbor” method, which requires entities to remove 18 specific identifiers (think fields like name, address, and the like) from data.The second is an expert determination that, after applying principles and methods to de-identify data, the risk of re-identification is “very small.”
Changing Technology, Changing Data
Since that time, changes have emerged that make the practice of managing HIPAA requirements more difficult. The volume, velocity, and variety of data — also known as the “Three V’s of Big Data” — has increased exponentially, so much so that we now generate an estimated (almost unimaginable) 2.5 quintillion bytes of data every day. Alongside this trend, new techniques have emerged in the field of machine learning to make sense of all that data — which, in the process, have eroded what were previously clear boundaries between different types of data.
When the Privacy Rule was first implemented, for example, it was relatively clear what counted as data relating to your health. Now, with fitness trackers, the Internet of Things, and ubiquity of sensing devices, these boundaries are becoming increasingly fuzzy. Insurance companies like John Hancock, one of the largest insurers in North America, now require regular activity monitoring for life insurance policies. Researchers can now detect neurodegenerative disorders from search histories.
Does fitness data count as insurance data? Does search history data count as health data? Given all of the data we generate, what, exactly, counts as “medical information?”
A Simple Way to Consistently Enforce HIPAA
These are incredibly important questions, which is why we are so excited to release our “Playbook for HIPAA-Compliant AI,” which illustrates how organizations and medical providers can use Immuta to help make their data activities HIPAA compliant.
Specifically, our playbook provides step-by-step instructions to implement two key policies critical for covered entities: masking and differential privacy.
- A masking policy helps remove the 18 key identifiers from datasets by replacing those identifiers with an irreversibly hashed value.
- Differential privacy provides mathematical guarantees that the risk of identifying individuals within a dataset is very small. Differential privacy operates by injecting random noise into aggregate queries to mask individuals’ personal information.
With the Immuta platform, hospitals and healthcare providers can streamline data access and control, share data, and coordinate care more quickly — while improving patient outcomes and protecting personal data.
Download the Immuta Playbook: HIPAA Compliant AI