FDA and HIPAA-compliant data protection for clinical research

Key takeaways

100x faster access to data so that data scientists and data analysts get “same day, same hour” access

Reallocation of 2 FTEs because they didn’t have to spend time manually controlling access to data and managing legacy infrastructure

Ability to prove to the FDA that they were compliant in handling clinical research data, which is critical to their core business helping diagnose health conditions like ADHD and autism

About the company

Cognoa is a pediatric behavioral health company developing digital diagnostic and therapeutic products with the goal of enabling earlier and more equitable care for behavioral health conditions. Cognoa’s products are intended to be routinely prescribed by providers and covered by insurers. Cognoa’s data science and engineering team leverages Immuta for granular policy enforcement to accelerate HIPAA-compliant machine learning.

Challenge

Cognoa trains data models to diagnose behavioral health conditions, including autism and ADHD, with highly sensitive data from its AWS data sources in the AWS Cloud (a HIPAA environment containing patient identifiers and electronically protected health information [ePHI]). 

Data privacy and security are of paramount concern for Cognoa, and it needed a software platform to enforce data security rules, permissions, and policy decisions using attributes and policies in a scalable and easy-to-understand manner.

However, Cognoa’s legacy practice of providing its data scientists and analysts with all of the data required to build their algorithmic models securely was extremely time- and labor-intensive.

Using legacy scripts, Cognoa’s data scientists and analysts were constantly looking at historical data snapshots, which could be up to one month old. They were also making copies of data. It became clear that in order to advance the innovation of its work, it was essential for the company to expedite this process, provide data scientists with the latest data “same day same hour,” and find a way to anonymize sensitive information for reporting. 

Initially, Charlie Qin, Cognoa’s Data Platform Owner, estimated it would take his team several months of engineering time to build a tool to capture logging of sensitive data. Additionally, it would take even longer to build a solution for data masking in order to protect user IDs, user names, user emails, birthdays, or gender based on these roles. Additionally, acquiring Kubernetes knowledge, keeping up with numerous versions, and monitoring the tools would limit what Charlie and the data team could accomplish.

“We tried building something ourselves, but we’re so happy we chose Immuta,” Qin said. “Immuta has really accelerated what our data teams can accomplish while also giving us a lot more peace-of-mind.”

As a healthcare company regulated by the FDA for HIPAA compliance, planning for data security and governance upfront is a requirement since the ramifications of not complying can be severe.

Another Hurdle: Achieving FDA Compliance

As a healthcare company regulated by the FDA for HIPAA compliance, planning for data security and governance up front is a requirement since the ramifications of not complying can be severe.  

Cognoa was also looking to conduct FDA-approved clinical trials, which added another unique set of requirements for data security. As part of the clinical trial process, Cognoa was required to provide the FDA with patient data, along with information on who reads it, when, how, for how long, and why.

Cognoa’s study would be double-blind, meaning neither the participants nor the experimenters – including the data scientists – can know who is receiving a particular treatment. The challenge was figuring out how to prove to the FDA that the study was double-blind without providing unauthorized access to the data.

This is done so that the FDA can make sure corporations are not influencing the outcome of the trial. If Cognoa could not get FDA approval for its clinical trials, it could potentially waste upwards of $3-5M.

Solution

After initially investing time developing its own tooling, Cognoa realized it needed to evaluate and deploy a vendor-provided platform to enforce data security rules, permissions, and policy decisions using attributes, and policies beyond the standard resource or table-based control levels. This was necessary for both scalability and to be able to explain and prove their compliance.

Cognoa chose Immuta for the ability to apply purpose-based restrictions to Cognoa’s PHI data and dynamically enforce policies in real time. The purpose of the data is simply some metadata – an attribute – within Immuta’s attribute-based control model. When users query the data, Immuta checks that a user is allowed to see the data for that particular purpose. It’s dynamic and easy for Cognoa to maintain.

Additionally, while it initially deployed Immuta in a self-managed environment, Cognoa has since migrated to the Immuta SaaS deployment for ease of maintenance and upgrades. According to Charlie, “Immuta SaaS works well and we haven’t had any issues with it. It’s working the way we envisioned it – transparent, quick, and real-time. That’s what matters to us.”

With Immuta, the Compliance team can tell data platform owners like Charlie about the HIPAA rules and parameters that companies like Cognoa need to adhere to, and they can easily prove their compliance. Immuta makes it easy for the data team to show plain-language policies in the data policy builder to the Compliance team.

Regarding the clinical trials data, Cognoa leverages Immuta to implement its double-blind study with a service account. It defines very clearly what the service account does, and runs that by the regulator. Cognoa ensures that the service account accesses the data, and if the data is masked, it still counts as being blinded. This way, Cogoa makes sure that no one has access to the data outside of well-defined and approved use cases. Cognoa also leverages Immuta’s audit capability and logs that Charlie can pull up at any time to prove compliant data use.

According to Qin, “With Immuta you can basically emulate a user’s query and their permissions to see exactly what they see. You can see it in a governed way and ensure that no one gets access to something they’re not supposed to.”

With Immuta you can basically emulate a user’s query and their permissions to see exactly what they see. You can see it in a governed way and ensure that no one gets access to something they're not supposed to.

Charlie Qin Data Platform Owner

Results

Immuta alleviates the burden on Cognoa’s data team and accelerates overall productivity. The team can easily define and enforce detailed data access policies that guarantee the security and anonymity of sensitive data as required by healthcare industry regulations.

  • 100x faster access to data – Immuta solved Cognoa’s latency challenges, providing sensitive data to data scientists and data analysts in the “same day, same hour.” Prior to Immuta, Cognoa’s data scientists were constantly looking at historical snapshots of data of which the cleansed script could be up to a month old. With Immuta, Cognoa can deliver sensitive data to data scientists and analysts in seconds, all while ensuring HIPAA-compliant data use. 
  • Reallocating 2 FTEs – Cognoa moved 2 full-time employees (FTEs) to new tasks because they didn’t have to spend time manually controlling access to data and managing legacy infrastructure. This increased even more sharply with the migration to Immuta SaaS, which took only 5 days, and meant that the team no longer had to spend time on maintaining Immuta.
  • FDA and HIPAA compliance – Immuta empowers Cognoa to run and prove compliant data use in their double-blind studies by enabling it to easily provide compliance to the FDA (and also prove HIPAA compliance). With the help of Immuta, Cognoa protects more than 160 tables and facilitates secure access to service accounts for auditing purposes. 

According to Qin, “Immuta brings stability to the business. Without Immuta, our data scientists and data analysts can’t read the data, they can’t use the data. Immuta keeps the business moving.”

In the future, Cognoa is looking to do more external data sharing with a partner company, clinics/healthcare providers, or a digital health exchange. Cognoa sees Immuta as the platform enabling safe data sharing so it can extend the value of their data.

Immuta brings stability to the business. Without Immuta, our data scientists and data analysts can't read the data, they can't use the data. Immuta keeps the business moving.

Charlie Qin Data Platform Owner

Solution details:

  • Time to complete install: 1 week to install, migrate, test & deploy to production
  • Time to migrate to SaaS: Rapid deployment, migration less than 5 days
  • Number of production users: 10 and an additional service account
  • Amount of data increased: 15-20%
  • Number of tables protected: 160.We had six to seven columns that can really make or break a company that was essentially protected by Immuta like a customer’s name or a customer phone number email, or certain expressions that needed to be masked.
  • Query time/performance impact: No impact after migrating to SaaS (which is a good thing)