michael werneburg

implementing PHI de-identification

the challenge

A US-based multinational specializing in health information required a data anonymization process to replace a legacy system. The data involved was for prescriptions from specialty pharmacies across the US. This prescription data was destined for the drug manufacturers, who used the data for research and marketing purposes. The data contained personal health information (PHI) and as such was governed by the Health Insurance Portability and Accountability Act (HIPAA). To share the data under HIPAA, the PHI would have to be removed.


Prior to my joining the project, a de-identification system was built to meet an initial set of requirements gathered with the client. My role began with an evaluation of deficiencies in the anonymization solution. This included:

process implementation

The service required a number of support functions, such as:

Additionally, a number of supporting scripts and automated routines were required to automate things like error correction, dashboard updates, and reporting.


This challenge was met by guiding adoption of third-party de-identification technology within the client's environment, a process that included:

A considerable amount of work went into the processes required to instantiate the service and support it once in production. This involved an iterative process of determining the requirements, observing their behavior in production, and making necessary adjustments. The counter-parties in the service were key to this process. As such substantial effort went into advising the client and their suppliers on the processes and tools that would have to be adopted to ensure success.


Once we were in production, I evaluated significant areas of risk to the service as a line of business, including program management, implementation issues, and the cost of remediation against revenues. This led to a series of reports on improvements to the client's understanding of the data and the further work that would required ensuring sufficient HIPAA compliance as changes to the data were instituted by the suppliers. I further led the discussion to ensure that corrective projects were staffed and started.


The service launched in August 2017. By the end of my engagement in June 2018, more than 90 data feeds were live on the platform. We had also successfully passed a HIPAA audit in late 2017. As the consulting/build part of the service's establishment came to a close and the steady state was managed by the client's permanent staff, the client was handed a system that was thoroughly documented, supported by an appropriate mix of manual and automated routines, and functioning at a high rate of efficiency and with the intended capabilities.