implementing PHI de-identification

the challenge

A US-based multinational specializing in health information required a data anonymization process to replace a legacy system. The data involved was for prescriptions from specialty pharmacies across the US. This prescription data was destined for the drug manufacturers, who used the data for research and marketing purposes. The data contained personal health information (PHI) and as such was governed by the Health Insurance Portability and Accountability Act (HIPAA). To share the data under HIPAA, the PHI would have to be removed.

de-identification

Prior to my joining the project, a de-identification system was built to meet an initial set of requirements gathered with the client. My role began with an evaluation of deficiencies in the anonymization solution. This included:

• Understanding outstanding validation checks for incoming data.
• Monitoring for insufficient de-identification
• Understanding the requirements for further modifications to the output data required for consumption by various downstream data warehouses

process implementation

The service required a number of support functions, such as:

• Onboarding of new feeds.
• Onboarding of new data suppliers. This included: setup of network &encryption routines; the establishment of error handling protocols and joint support communications; and the determination of special requirements for data anonymization and output formats.
• Testing to migrate existing feeds from the incumbent provider.
• Migration of existing data suppliers and data feeds to the new platform.
• Investigation and remediation processes for production.
• Reporting and escalation processes.
• End of day and end of week reconciliation for all production data.
• Support for the clients' teams that were generating new business for the service.

Additionally, a number of supporting scripts and automated routines were required to automate things like error correction, dashboard updates, and reporting.

solutions

This challenge was met by guiding adoption of third-party de-identification technology within the client's environment, a process that included:

• Working with the client as well as the incumbent competitor to understand the complexities of the countless "corner cases" that had been established by precedent over the years.
• Developing requirements for the outsourced development team to deliver solutions for those complexities.

• Developing schedules for simultaneous feed migration and software releases.

• Directing the development of the needed supporting scripts as well as their eventual replacement by in-application functionality.
• The adoption of a software release package (Jenkins).

A considerable amount of work went into the processes required to instantiate the service and support it once in production. This involved an iterative process of determining the requirements, observing their behavior in production, and making necessary adjustments. The counter-parties in the service were key to this process. As such substantial effort went into advising the client and their suppliers on the processes and tools that would have to be adopted to ensure success.

evolution

Once we were in production, I evaluated significant areas of risk to the service as a line of business, including program management, implementation issues, and the cost of remediation against revenues. This led to a series of reports on improvements to the client's understanding of the data and the further work that would required ensuring sufficient HIPAA compliance as changes to the data were instituted by the suppliers. I further led the discussion to ensure that corrective projects were staffed and started.

outcomes

The service launched in August 2017. By the end of my engagement in June 2018, more than 90 data feeds were live on the platform. We had also successfully passed a HIPAA audit in late 2017. As the consulting/build part of the service's establishment came to a close and the steady state was managed by the client's permanent staff, the client was handed a system that was thoroughly documented, supported by an appropriate mix of manual and automated routines, and functioning at a high rate of efficiency and with the intended capabilities.