De - Identification Guidance for Family Planning · De - Identification Guidance for Family...

+

Welcome to IHE ITI De-Identification Guidance for

Family Planning

[email protected]

Welcome to today’s webinar on the de-identification guidance OPA is developing for the family planning profile in partnership with Integrating the Healthcare Enterprise. I’m Christina Lachance, Public Health Advisor at the Office of Population Affairs and the staffer who’s been in charge of leading the effort to revise the Family Planning Annual Report since 2012. As you may know, this work is directly connected to OPA’s efforts to revise FPAR to be interoperable with electronic health records systems. This is why privacy and security work is especially important to consider as we move this project forward. We are thrilled you could take the time to join us today. We hope this that this will give you an idea of what to expect from the committee work that we are launching and entice you to partner with us.

+

2Christina Johanna Lauren

Gila

We thought it’d be helpful for you to have a picture of who was talking to you today. Christina Lachance is the public health advisor and Health IT Team Lead for FPAR 2.0. Johanna Goderre is the Senior Health Informatics Advisor and technical lead for the Health IT Team. Lauren Corboy is an ORISE Fellow with the OPA Health IT Team. She manages the team’s social media work, and has been working in the health IT field for about 2.5 years. Gila Pyke is today’s guest star as the co-chair of the IHE ITI technical committee that is leading this effort and is a Privacy and Security consultant working in the Health IT space and helping with the FPAR 2.0 privacy and security roadmap.

+ You’re in the right place if you…

Are invested in helping OPA create the future of FPAR

Want to impact the Family Planning Technical Profile that will

be implementable by any EHR vendor (both in and outside Title

X)

Become the go-to person in your organization for knowing the

nitty-gritty of FPAR 2.0

Want to be at the table to help OPA make critical decisions

about data elements that might be challenging from a privacy

and security perspective

Care about the privacy and security of data within your

organization

3

If any of these statements describe your reason for showing up here today, then you are in the right place! BENEFITS OF PARTICIPATION – become the go to person in your organization for FPAR 2.0, gain hands-on knowledge of the Privacy and Security roadmap and de-Identification methodology and become a champion for privacy and security. IF for some reason there is a challenge with one of these data elements, you will be at the table to help make the decision on what happens with this data in the future

+ FPAR 2.0 Privacy and Security

Roadmap http://opahit.sites.usa.gov/

4

Assess Plan Design Implement DeployPhases

Activities

Establish grantee

reporting and

privacy and security

capacity

Draft grantee


governance model

Milestones

Select De-

Identification

algorithm

Hosting System

configuration

Training and

Awareness

Identify target

information

inventory

Agreement on

Privacy and

Security roadmap

Perform Conceptual

PIA and TRA

Conceptual PIA and

TRA and risk

mitigation plan

Design FPAR 2.0

architecture based

on Conceptual PIA

and TRA and

planned safeguards

Delta PIA and TRA

of FPAR 2.0 design

Define Privacy and

Security obligations

for data sharing

agreement

Privacy and

Security

communication and

training strategy

Delta PIA and TRA on

physical architecture,

including vulnerability

assessment (VA)

Signed NGA and

DSA components

Updated

configurations post-

VA acceptance

Communication and

training strategy

User provisioning

Other activities as

defined by updated

PIA and TRA

mitigation plans

Maintenance

strategy approved

Go-Live! First

reports collected

Program

performance plans

established

Identify target data

flows

Identify target

provider and system

actors

Identify target


requirements per

actor

Updated P+S

Roadmap and

requirements

Identify de-

identification

requirements and

options

FPAR 2.0 privacy

and security risk

mitigation plan

update

Approved DSA

integrated into NGA

Privacy and

Security questions

incorporated into

FPAR 2.0 feasibility

questionnaire Privacy and Security

plan reviewed by

legal counsel

Create detailed

program instructions

and supporting toolkit

Privacy and Security

capacity

improvement

Just a reminder that the privacy and security roadmap has been discussed in 2 blog posts and there is more information on the blog here: http://opahit.sites.usa.gov/2015/02/17/privacy-and-security-for-fpar-2-0/ This lays out what we need to accomplish to ensure that all the privacy and security building blocks are in place to enable the benefits of complex data sharing among the diverse stakeholders in the FPAR 2.0 community. Privacy and Security safeguards at the administrative, technical and physical levels are all needed to reduce the risk of potential harm to our clients. We want to do everything we can to reduce the potential for the breaches or misuse of data that you hear so much about in the news nowadays. There are a lot of steps involved!

+ How this work relates to FPAR 2.0 The data elements in the FP Profile will satisfy the FPAR 2.0

reporting requirements and feed QFP-related performance

measures

Enable us to return clinically relevant metrics back to the network

Vision: Promote the adoption of these metrics outside of Title X

0%

10%

20%

30%

40%

50%

60%

70%

2010 2014 2010 2014 2010 2014 2010 2014

My performance My site My network National

Protecting client privacy is a cornerstone of the success of FPAR 2.0

5

This shows the long term goal of FPAR 2.0 – giving everyone back metrics that are clinically-relevant and interpretable at all levels of the Title X network. We are also working in collaboration with measure endorsement organizations, like NQF, to have some of our FPAR 2.0 measures adopted for use beyond Title X in any setting where family planning care is delivered.

+ Today’s Objectives

By the end of this orientation, you will be able to:

Communicate to your peers about IHE and the IHE

ITI De-Identification for Family Planning effort

Participate actively in teleconference discussions to

select de-identification guidance for Family Planning

data

Find the resources and information you need to

participate in this effort

6

People describe first 6 months of standards work as drinking through a fire hose. The purpose of this webinar is to try to ease that a little and give you enough information to help you understand what to expect, how to participate, and where to find the info that you need or know who to ask question to. EVERYONE IS WELCOME TO PARTICIPATE!

+What is IHE ITI http://www.ihe.net

IHE International is an initiative by healthcare professionals

and industry to improve the way computer systems in

healthcare share information.

IHE is composed of 12 domains, responsible for the

development and maintenance of IHE Technical Frameworks.

7

Anatomic Pathology Cardiology Dental

Eye Care IT Infrastructure Laboratory

Patient Care

Coordination

Patient Care

Devices

Pharmacy

Quality, Research

and Public Health

Radiation Oncology Radiology

IHE promotes the coordinated use of established standards to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively. IHE is a public collaboration – anyone can participate and lend their expertise. The domains most relevant for the work OPA is doing with the family planning profile are QRPH and ITI ITI is the committee responsible for defining INTEROPERABILITY, including how to transmit data between systems, as well as the privacy and security components of ensuring trust and safety of sensitive data

+ What is De-Identification for

Family Planning

IHE Family Planning (FP) profile published in 2014 references

use of highly sensitive data elements

FP data elements are needed for clinical purposes, but we

want to use a less identifiable set of data for reporting and

other purposes

Privacy principles, and various regulations require that

sensitive data be treated according to several principles,

including a minimization principle that requires that only the

minimum necessary data needed for the purpose at hand be

used. This can be achieved through de-identification of the

Family Planning data set.

The purpose of developing De-Identification Guidance for

Family Planning effort is to determine the optimal methods

and algorithms that should be used for the FP data set.

8

Last year, the IHE Family Planning profile referenced the use of sensitive data elements that any type of provider or health system might need to calculate important reproductive health performance measures. The profile was written to be widely applicable to different healthcare settings. Title X reporting, however, would not need that much detail. In order to protect information about family planning clients, we can propose methods to remove individually identifiable information in an encounter-level report. In other words, we can reduce the risk that someone could figure out the true identity of a client using that report before sending it to the future FPAR 2.0 repository. This process is commonly called de-identification. HIPAA requires clinical services providers to protect sensitive information documented during a typical family planning healthcare visit in several ways. For example, you need to keep it safe in transit (i.e. you should digitally encrypt an electronic form before sending it to someone else or you should place a paper form in a sealed envelope and mail it through a bonded courier). Additionally, if something goes wrong, you should have a method for documenting and investigating what happened so you can prevent it in the future (i.e., an audit trail). HIPAA also stipulates that covered entities should use methods to ensure that only the right people have access to sensitive information (e.g., staff who possess the proper credentials and training, and have “a need to know”, called access controls). Even with all these safeguards in place, however, sharing sensitive information from a family planning visit may still pose a risk to the client. OPA is therefore committed to providing guidance to ensure that FPAR 2.0 data are as fully protected as possible. A key element of Privacy Design, and a concept that the HIPAA privacy rule calls the “Minimum Necessary Requirement,” is to limit the information that you share to only that which is strictly necessary. This is often done either by removing elements that are not strictly necessary for the recipient to be able to use the data (for the purpose for which the data was shared), or by finding other methods to de-identify the data. This way, even if the information was intercepted, broken into, and decrypted, the ability to identify the client would be minimal. Since not all client-level information collected in the course of a family planning visit is necessary for FPAR 2.0 reporting or performance measure purposes, there is great opportunity to reduce risk through the application of simple but effective de-identification techniques.

Facility Provider

Wellness Now 123 Main Street Muncie, IN 47383 Carrie Provider, NP 123-456-789-3

Patient Identifier & Name Sex Date of Birth

HYY - 14 - 771 ● Female 09/22/1991

Ginny Testcase ⃝ Male

Ethnicity Race (check all that apply)

● Hispanic or Latina/o☐ American Indian / Alaska Native

☐ Native Hawaiian or Other Pacific Islander

⃝ Not Hispanic or Latina/o ☐ Asian ▪ White

☐ Black / African American

Annual Household Income Insurance Coverage

$ 42 , 786 ⃝ No insurance ⃝ Veteran/military

Household Size ⃝ Medicaid ⃝ Other public

2 ● Self-pay

⃝ Private/group Limited Language Proficiency (English)

Visit Date ⃝ Medicare ⃝ Yes

01/12/2014 ⃝ CHIP ● No

Height Blood Pressure Smoking Status

180.73 ● cm Systolic ⃝ Never ⃝ Smoker, unknown current

140 ● Former smoker ⃝ Unknown if ever smoked

Weight Diastolic ⃝ Current every day ⃝ Heavy

95.2 ● kg 106 ⃝ Current some day ⃝ Light

9

This is an example of how identifiers in our sample FPAR 2.0 form could be masked or de-identified. See the following slides.

Facility Provider



HYY - 14 - 771 ● Female 09/22/1991










2 ● Self-pay



01/12/2014 ⃝ CHIP ● No






Anonymized ID,

grantee & OPA know

link

10

The facility identifier can be extremely identifying of an individual patient, but is also very necessary for longitudinal studies. For de-Identification purposes, we know we can’t delete it so the best path forward would be to find a way to replace the identifier with a number that is only known to the grantee and perhaps OPA but is otherwise undiscoverable to other users of the data.

Facility Provider



HYY - 14 - 771 ● Female 09/22/1991










2 ● Self-pay



01/12/2014 ⃝ CHIP ● No






Anonymized ID,

grantee holds link

Anonymized ID,

grantee & OPA know

link

11

Similarly, the provider ID is extremely identifying, but may be valuable for longitudinal studies. In this case, it may be best for the facility or grantee to replace the ID with a random value before sharing it externally or with OPA.

Facility Provider



HYY - 14 - 771 ● Female 09/22/1991










2 ● Self-pay



01/12/2014 ⃝ CHIP ● No






Anonymized ID,

grantee holds link

Calculate age at visit

date, report in age

category 20-24

Anonymized ID,

grantee & OPA know

link

12

Birthdates are very unique to the individual, and that level of detail may not be needed for research purposes. Generalizing the actual birthday to the age, or even to the age within a range/category may be sufficient for the purposes at hand and will be far less identifying of an individual.

+ Discussion goals

Balance two conflicting perspectives:

Discussion Process

Perform at least 2 passes through the entire list of data elements,

refining with each pass

Family Planning

subject matter expert

• keep as many data elements as

possible–as close to the

original value as possible

• to fulfill reporting requirements

and performance metrics

Security and Privacy

subject matter expert

• apply the most restrictive

algorithm possible to limit the

detail in any given data element

• thereby safeguard the overall

data set as much as possible

13

The process is going to involve fighting the privacy and security person’s tendency to want to redact everything, and the clinical person’s tendency to want to have the most data possible to base decisions on, and go around and around until everyone is only a little bit uncomfortable.

+ What to expect

Webex Conference calls (~2 per month) involve walking

through the document together in detail

Use Webex chat function as a backchannel if you’re unsure

about a question, or want to share a link with the group

5-20 people on average participate in the call (depending on

you!)

Each call will review up to 5 data elements, their purpose for

collecting those elements, and answer a series of detailed

questions to identify optimal de-Identification algorithms for

each one.

JUMP IN when the discussion involves data that you have

experience with or care about

Tell us what MAY or MAY NOT work!

14

A small group of people have already started this and we’ve worked out the parts that are a little tedious such as the structure and logistics, that way when we start the calls next week we can jump right into getting your best feedback. For those who want an advanced look at the document so far, you can find it on the IHE FTP site here: ftp://ftp.ihe.net/IT_Infrastructure/iheitiyr13-2015-2016/Technical_Cmte/Workitems/DeIndentification%20of%20Family%20Planning

ftp://ftp.ihe.net/IT_Infrastructure/iheitiyr13-2015-2016/Technical_Cmte/Workitems/DeIndentification of Family Planning

ftp://ftp.ihe.net/IT_Infrastructure/iheitiyr13-2015-2016/Technical_Cmte/Workitems/DeIndentification of Family Planning

+ Time Commitment

Effort targeted to run March – October 2015

2 ways to participate:

Track 1: Adviser (March – July 2015)

Participate in a 1 – 1.5 hour teleconference discussion about 2 times

per month on the purpose and requirements for each family planning

data element as well as occasional review of the draft guidance.

Track 2: Reviewer (March – October 2015)

Provide written comments during 2-3 substantive review cycles of the

guidance for quality, relevance, and correctness.

Everyone is a local champion!

15

+ Where to find stuff

http://ihe.net/IT_Infrastructure/ for more information on the IHE

ITI committee

http://ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_Handbook_

De-Identification_Rev1.1_2014-06-06.pdf on the process and

methodology for de-Identification that will be used

http://ihe.net/uploadedFiles/Documents/QRPH/IHE_QRPH_Su

ppl_FP.pdf for information on the Family Planning data set that

will be de-identified using the handbook linked above

16

+ How do I participate

Email your name to Lauren Corboy at [email protected] by

COB MONDAY (March 9,2015)!

If you think of other folks who should be participating in your

stead, please reach out to them quickly and send them this link to

get them involved:

https://opahit.sites.usa.gov/2015/02/23/privacy-and-security-for-

fpar-2-0-part-2-de-identification-a-request-for-your-help/

Accept and attend the teleconference invitation

Orient yourselves with the Family Planning profile and De-

Identification Whitepaper

Email Gila ([email protected]) with IHE questions

DIVE IN!

17

We need people who know family planning and have some privacy and security experience in Title X settings to help with either of the two tracks. Please email [email protected] to let us know you’d like to participate!

+ QUESTIONS

?See notes

18

Questions posed and OPA’s responses: Q: Can you please define FPAR and deidentification A. FPAR = Familiy Planning Annual Report http://www.hhs.gov/opa/title-x-family-planning/research-and-data/fp-annual-reports/ Q: Is there a place in this work for people who don;t speak IT? A. Yes! Absolutely! We will definitely address this question and it is a good one. Thank you! Q: Could you discuss what the privacy and security issues might be with clinically specific items? Like what services were provided or what tests were done? Are we just concerned about the things usually related to PHI (age, race, location,etc.) or is there more? A: We talked through an example of how the data could be used to re-identify a patient and how what we’re trying to do will put protections in place to make the possibility of a breach less likely to occur. Q: Are these committee tracks open to grantees only or could a grantee appoint a sub-recipient staff person as well? A: All are welcome – folks on the ground working in clinics have vital experience to inform this work.

Q: Is this de-identification end outcome/purpose to be one that is IRON CLAD, even to beat the breach of securities experienced by Banks and Credit Cards??? A: This is complicated and nothing is 100% secure, but this work will put protections in place to make the possibility of a breach less likely to occur following industry standards. Q: Are these advisor and reviewers going for our regional privacy security protocols or Federal HIPAA security, because state laws are different? A: Having folks on the committee who are savvy regarding regional or state-level privacy laws would be incredibly helpful. We have many HIPAA experts represented, but realize that there is much variability state to state. Having that input now will help us build a stronger FPAR 2.0. Q: Can advisors/reviewers join the working group on an ongoing basis or is march 6th the deadline for joining? A: We have extended the deadline to March 9th, but the meetings are public and open to anyone so folks can join later if needed or just commit to the reviewer track, which is as critical as the biweekly calls.

De - Identification Guidance for Family Planning · De - Identification Guidance for Family...

Documents

Transcript of De - Identification Guidance for Family Planning · De - Identification Guidance for Family...