FDA and HIPAA-compliant data protection for clinical research

Key takeaways

100x faster access to data so that data scientists and data analysts get “same day, same hour” access

Reallocation of 2 FTEs because they didn’t have to spend time manually controlling access to data and managing legacy infrastructure

Ability to prove to the FDA that they were compliant in handling clinical research data, which is critical to their core business helping diagnose health conditions like ADHD and autism

About the company

Cognoa is a pediatric behavioral health company developing digital diagnostic and therapeutic products with the goal of enabling earlier and more equitable care for behavioral health conditions. Cognoa’s products are intended to be routinely prescribed by providers and covered by insurers. Cognoa’s data science and engineering team leverages Immuta for granular policy enforcement to accelerate HIPAA compliant machine learning.


Cognoa trains data models to diagnose behavioral health conditions, including autism and ADHD, with highly-sensitive data from its AWS data sources in the AWS Cloud (a HIPAA environment containing patient identifiers and electronically protected health information [ePHI]).

Data privacy and security are of paramount concern for Cognoa, and they needed a software platform to enforce data access rules, permissions, policy decisions using attributes and policies in a scalable and explainable manner. However, Cognoa’s legacy practice of providing its data scientists and analysts with all of the data required to build their algorithmic models securely was extremely time and labor-intensive.

Using legacy scripts, Cognoa’s data scientists and analysts were constantly looking at historical data snapshots, which could be up to one month old. They were also making copies of data. It became clear that in order to advance the innovation of its work, it was essential for the company to expedite this process, provide data scientists with the latest data “same-day same-hour”, and find a way to anonymize sensitive information for reporting.

Initially, Charlie Qin, Cognoa’s Data Platform Owner, estimated it would take his team several months of engineering time to build a tool to capture logging of sensitive data. Additionally, it would take even longer to build a solution to do data masking in order to protect user IDs, user names, user emails, birthdays, or gender-based on these roles. Additionally, acquiring Kubernetes knowledge, keeping up with numerous versions, and monitoring the tools would limit what Charlie and the data team could accomplish.

“We tried building something ourselves but we’re so happy we chose Immuta,” said Charlie, “Immuta has really accelerated what our data teams can accomplish while also giving us a lot more peace-of-mind.”

As a healthcare company regulated by the FDA for HIPAA compliance, planning for data security and governance upfront is a requirement since the ramifications of not complying can be severe.

Cognoa was also looking to conduct FDA-approved clinical trials, which added another unique set of requirements for data access. As part of the clinical trial process, Cognoa was required to provide the FDA with Cognoa’s patient data along with information on who reads it, when do they read it, how do they read it, how long do they read it for, what are they querying for, etc.

Cognoa’s study would be a double-blinded study, meaning neither the participants nor the experimenters can know who is receiving a particular treatment. The challenge was figuring out how to prove to the FDA that the study was double blinded without providing unauthorized access to the data (meaning data scientists could not know which participant was in which group).

This is done so that the FDA can make sure corporations are not influencing the outcome of the trial. If Cognoa could not get FDA approval for its clinical trials, it could potentially waste upwards of $3-5M.


After initially investing time developing its own tooling, Cognoa realized they needed to evaluate and deploy a vendor-provided platform to enforce data access rules, permissions, policy decisions using attributes and policies beyond the standard resource or table-based control levels. This was necessary for both scalability and to be able to explain and prove their compliance.

Cognoa chose Immuta for the ability to apply purpose-based restrictions to Cognoa’s PHI data and dynamically enforced policies in real-time. The purpose of the data is simply some metadata – an attribute – within Immuta’s attribute-based control model. When users query the data, Immuta checks that a user is allowed to see the data for that particular purpose. It’s dynamic and easy for Cognoa to maintain.

Additionally, while they initially deployed Immuta in a self-managed environment, Cognoa has since migrated to the Immuta SaaS deployment for ease of maintenance and upgrades. According to Charlie, “Immuta SaaS works well and we haven’t had any issues with it. It’s working the way we envisioned it – transparent, quick, and real-time. That’s what matters to us.”

With Immuta, the Compliance team can tell data platform owners like Charlie about the HIPAA rules and parameters that companies like Cognoa need to adhere to and they can easily prove their compliance. Immuta makes it easy for the data team to show plain English policies in the data policy builder to the Compliance team.

Regarding the clinical trials data, Cognoa leverages Immuta to implement their double-blind study with a service account. They define very clearly what the service account does, and run that by the regulator. Cognoa ensures that the service account accesses the data, and if the data is masked, it still counts as being blinded. This way, Cogoa makes sure that no one has access to the data outside of well-defined and approved use cases. Cognoa also leverages Immuta’s audit capability and logs that Charlie can pull up at any time to prove compliant data use.

With Immuta you can basically emulate a user’s query and their permissions to see exactly what they see. You can see it in a governed way and ensure that no one gets access to something they're not supposed to.

According to Charlie...


Immuta alleviates the burden on Cognoa’s data team and accelerates overall productivity. The team can easily define and enforce detailed data access policies that guarantee the security and anonymity of sensitive data as required by healthcare industry regulations.

  • 100x faster access to data so that data scientists and data analysts get “same day, same hour” access
  • Reallocation of 2 FTEs — because they didn’t have to spend time manually controlling access to data and managing legacy infrastructure
  • FDA and HIPAA compliance — Immuta empowers Cognoa to run and prove compliant data use in their double-blinded studies by enabling them to easily provide compliance to the FDA (and also prove HIPAA compliance). With the help of Immuta, Cognoa protects over 160 tables and also facilitates secure access to service accounts for auditing purposes.

Immuta brings stability to the business. Without Immuta, our data scientists and data analysts can't read the data, they can't use the data. Immuta keeps the business moving.

According to Charlie...

Solution details:

  • Time to complete install: 1 week to install, migrate, test & deploy to production
  • Time to migrate to SaaS: Rapid deployment, migration under 5 days
  • Number of production users: 8 + additional service account
  • Number of new users added per month: –
  • Amount of data increased: 15-20%
  • Number of tables protected: 160.We had six to seven columns that can really make or break a company that was essentially protected by Immuta like a customer’s name or a customer phone number email, or certain expressions that needed to be masked.
  • Query time/performance impact: No impact after migrating to SaaS (which is a good thing)