A Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I

Transcription

1 IT Management Advisory A Privacy Officer s Guide to Providing Enterprise De-Identification Services Ki Consulting has helped several large healthcare organizations to establish de-identification services aligned with privacy regulations and industry best practices. A mature de-identification service, as defined by our De-identification Maturity Model 1, will ensure compliance with privacy legislation, lower privacy risk, and enable organizations efficiently to share high-quality data for secondary purposes. It will also include performance measurement, which allows organizations to evaluate the success of the service in terms of increased efficiency, variety, and volume of data sharing, as well as the research and clinical utility of de-identified data. Based on our experience, we have developed an effective approach to building a mature healthcare deidentification service in three distinct phases: De-Identification Business Architecture Design, Software Tool Selection and Service Rollout. The methodology for each phase embodies a tried and tested approach and aligns with industry best practices. Our strategy ensures that clients reap the benefits of more efficient de-identification processes and software systems, and that these will outweigh the initial investment costs. Phase I: De-Identification Business Architecture Design Business architecture defines the goals, scope, roles, and process for de-identification and lays the groundwork for an efficient, economical, and transparent service. Designing or redesigning business architecture involves locating the de-identification service and its purpose within the organization and defining the basic structures of the service, such as business processes, staffing, reporting, and performance measurement. We have devised a streamlined 4-step approach to designing the business architecture for an effective de-identification service suited to an organization s needs, goals and structure: Phase I 1 Determine Organizational Resources and Needs 2 Determine Organizational Maturity Level 3 Redesign Business Processes & Establish a Measurement Plan 4 Determine De- ID Staffing & Set Reporting Structure Step 1: Determine Organizational Resources and Needs 1 Khaled El Emam and Waël Hassan, The De-identification Maturity Model, Privacy Analytics (2013). Available at under The Ki Approach: De-identification Maturity Model.

2 The first step is to determine how a de-identification service can fulfill organizational needs. In order to do this, we recommend carrying out a needs analysis, which must include clinical and research perspectives. It is also important to understand the existing contracts that the organization has with its data sources and what organizational needs they reflect. By analyzing the defined needs and juxtaposing them across metrics related to the management of scope, cost, time and resources, we can confidently move forward with a plan for a de-identification service that makes sense in the organization s particular context. We recommend that the following parameters be determined during this step: How will the service be funded? Is there sufficient stakeholder interest for it to be viable? How will a vendor or vendors be engaged? Where will the service be physically located? Who will have authority and accountability for it? Who will be responsible for carrying out the work? How does the service align with other projects? How does it integrate with other IT projects? Which standards will the service follow? Are there plans for privacy and security oversight? What will the service s developmental lifecycle be? How will the service contribute to the organization's main services? How will it work within other services? How will it fit into the overall business process? Who needs de-identification? What are the needs of each group of users? What is the business context of de-identification? Who will supply de-identification services? Which vendor(s) will be involved? Who will govern the program? What services will be provided? How will these match the needs of specific client groups? How will the data model be structured? How will data relationships be integrated? What are the existing contracts and how do they affect the requirements for a de-identification service? Step 2: Determine Organizational Maturity Level When working with clients to establish a de-identification service, we consider it important to conduct a maturity assessment of the current state of de-identification practices within the organization. This serves several purposes: it provides an objective evaluation of de-identification practices; it establishes a baseline against which to measure future progress; it provides a means of comparing the practices of different units or departments; and it offers guidance for future development. Our assessment involves conducting interviews, analyzing use patterns, dissecting processes, and looking at current practices for managing privacy-related services, etc. The tool which we use for these assessments is the De-identification Maturity Model, which evaluates an organization s key de-identification practices, their implementation, and the technologies used in the de-identification process. The different levels of each of these three dimensions are described below.

3 Key De-identification Practice Dimension P1 Ad-hoc At this level, an organization does not have any defined practices for de-identification. The methods used, if there are any, are not proven to be rigorous or defensible. Within the organization there tends to be a lot of variability in how data is de-identified, as the type and amount of de-identification applied will depend on the analyst who is performing it, and that analyst s experience and skill. P2 Masking Organizations at this level only implement masking techniques. Masking techniques focus exclusively on direct identifiers such as name, phone number, health plan number, and so on. P3 Heuristics At this level organizations have masking techniques in place, and have started to implement heuristic methods (rules-of-thumb) for protecting indirect identifiers. P4 Risk-based Risk-based de-identification involves the use of empirically validated and peer-reviewed measures to determine acceptable re-identification risk and to demonstrate that the actual risk in the data sets is at or below this acceptable risk level. In addition to measurement, there are specific techniques that take into account the context of the de-identification when deciding on an acceptable risk level. P5 Governance At the highest level of maturity, masking and risk-based de-identification are applied as described in Practice Level 4. However, now there is a governance framework in place, as well as practices to implement it. Governance practices include performing audits of data recipients, monitoring changes in regulations, and having a re-identification response process. The Implementation Dimension I1 - The Initial Level

4 At the Initial level the de-identification practices are performed by an analyst with no documented process, no specific training, and no performance measurements in place. I2 The Repeatable Level At the Repeatable level the organization has basic project management practices and structure in place to manage the de-identification service. Also critical at this level is the involvement of the privacy or compliance office in helping to shape de-identification practices. I3 The Defined Level The Defined level of implementation means that the de-identification process is documented and there is training in it in place. I4 The Measured Level The Measured level of implementation pertains to performance measures of the de-identification process being made and used. Measures can be based on tracking of the data sets that are released and of any data sharing agreements. Note: The levels in the Implementation dimension are cumulative in that it is difficult to implement a higher level without having first implemented a lower level. For example, meaningful performance measures will be difficult to collect without having a defined process. The Automation Dimension A1 Home-grown Automation An organization attempts to develop its own scripts and tools to de-identify data sets. A2 Standard Automation An organization adopts tools that have been used more broadly by multiple organizations and have received scrutiny. These may be publicly available (open source) or commercial tools. Based on the results of the assessment we can establish an organization s de-identification maturity level. For example, an organization that has purchased a data masking tool and implemented it, and has documented the data masking process and its justifications thoroughly, would be scored at P2-I3-A2. We then work with clients to develop an attainable target maturity level for each dimension. Step 3: Redesign Business Processes and Establish a Measurement Plan Once the basic structure of the service is established, the next step is to design its function. In this step, we shift our focus from structure to process. The answers to the following questions can be used first to assess current business processes, and then to envision the business processes of the new service: What is the service delivery model who handles client interactions? What are the business process model and business function model? How are services structured? What is the service process? What roles are involved?

5 How is the performance of the service measured and improved? What are the business rules that is, how much access to data do various clients and administrators have? Ki Consulting Once these questions have been used to assess the current state and to envision the future state of deidentification processes, the gaps between the two states provide the basis for a roadmap for development. The second part of this step, in line with the principles of performance management, is to establish a measurement plan in order to measure the value and maturity of the de-identification service. A measurement plan will usually be based on the three dimensions of the De-Identification Maturity Model. Development along each of the dimensions may be conducted simultaneously or staggered, depending on resources. A key aspect of an effective measurement plan is establishing realistic maturity level targets. We must be careful to establish a target level that is attainable within the chosen timeframe. Going directly from a Level P1 to a Level P4 is not a feasible target; however, aiming to upgrade to a Level 2-3 is. After securing Level 3 maturity, the system can be effectively upgraded to Level 4 and onwards. We help our clients to develop an ambitious, yet realistic plan to ensure that target maturity levels are attained. While organizational maturity levels provide a very useful framework for evaluating the development of the service, we recognize the importance of measuring progress against tangible outcomes. The Implementation dimension of the De-identification Maturity Model includes performance measurement: this will include measures of the volume and efficiency of data sharing, and of the utility of de-identified data from research and clinical perspectives. These measures can provide rapid and concrete feedback as to the value of improved de-identification practices and processes. Step 4: Determine De-identification Service Staffing & Set Reporting Structure In order for a de-identification service to have the authority to enforce best practices and engage staff in implementing changes, the service must be positioned at a senior level within the management hierarchy. Successful de-identification management depends on the authority and effectiveness of two key resources: 1. De-identification Practice Specialist: Provides expertise on tools, techniques, and methodology. The De-identification Practice Specialist is responsible for training staff in new practices by developing FAQs, providing a library of de-identification resources, and offering workshops. He or she also oversees risk management practices, develops de-identification templates for different data sharing scenarios, and creates and interprets risk reports for data releases. 2. De-identification Service Manager: The Service Manager is responsible for understanding the dependencies and relationships between different data recipients, data suppliers, and the service. He or she must have a high level understanding of all current projects and their timelines, milestones and targets in order to realize the collective benefit of the service. He or

6 she will also report on the maturity of de-identification methodology as it is implemented throughout the service. A frequent risk to the overall implementation of a de-identification service and the specific staffing component is staff aversion to culture change. The unfaltering support of upper management is critical to the success of the service. It is the role of the De-identification Practice Specialist and Service Manager to facilitate proper training and maintain employee confidence in the service in order to ensure full acceptance and lasting integration into the organization s practices. Phase II: Software Tool Selection Once the business architecture for an effective de-identification service has been designed, deidentification software can be procured that will meet the service s needs and goals. To choose deidentification software and prepare to implement it, we guide our clients through three overlapping steps: 1. Drafting RFP 2. Assembling a Library of De- Identification Materials 3. Selecting De- Identification Software Step 1: Drafting RFP Ki Consulting assists clients in drafting a request for proposals (RFP) in order to secure a vendor for suitable de-identification software. Drawing on the needs analysis conducted during the first phase, we define what software capabilities are crucial for the success of the service. Based on these needs we draft the requirements of the RFP. Step 2: Assembling a Library of De-Identification Materials Concurrent with Step 1, we will develop a repository of de-identification materials such as data mapping templates, workflow diagrams, toolkits, etc. These documents and templates will form a library of reference that will aid in the adoption and effective use of de-identification software. From prior engagements, we have collected a wealth of documents and templates that can be included in a library of de-identification materials.

7 Step 3: Selecting De-identification Software Following the issuance of the RFP, we work with our clients to evaluate the received proposals and select a preferred vendor. The choice of de-identification software should be governed by its capacity to implement mature de-identification practices: not only masking direct identifiers, but also providing risk metrics to guide the effective de-identification of indirect identifiers. Also key is that the software be easy to use and be perceived as useful by staff. We aim to select a tool that will effectively maximize the value of its implementation and provide the best ROI in terms of cost efficiency by increasing the volume and quality of de-identified data available to clients. Phase III: Service Rollout In order to achieve a successful launch of the de-identification service and to develop effective risk management practices, we recommend implementing new de-identification practices first in a relatively simple data provision context before moving on to more complex environments. A recommended phased service rollout would unfold as follows: Wave 1 Wave 2 Wave 3 Wave 4 One database for one client (e.g., one hospital) Multiple databases for the same client Multiple databases for several clients or for a complex client (e.g., an integrated health network) Online implementation Wave 1: One Database for One Client Beginning by implementing new de-identification processes within a single database for a single client allows staff to become familiar with new processes without the added complexity of interdependencies between databases. Until risk measurement is in place, it is difficult to manage the privacy risks created by clients potentially linking data from different databases, and providing a client with access to multiple databases is not recommended. Wave 2: Multiple Databases for Same Client Once an organization has developed the capability to measure data risk, providing multiple databases to a single client offers an opportunity to learn how to manage data interdependencies within the context of an established contract or agreement. Wave 3: Multiple Databases for Several Clients or for a Complex Client Once the organization is proficient in evaluating data risk and handling interdependencies, the next step is to develop the capacity to measure client risk. This involves creating versatile de-identification templates to be applied to data: that is, the data risk levels of different databases are mapped to a risk

8 classification of client types (e.g., hospitals, researchers, health networks) to determine the specific deidentification techniques that will be applied to data prior to release. At this level, clients patterns of data requests are monitored for performance measurement and risk management purposes. Wave 4: Online Implementation This final wave moves beyond applying templates to calculating risk automatically, allowing for data to be released instantaneously. Clients are granted different levels of data access based on a priori assessments of client risk. When a client requests a dataset, data risk is calculated automatically and mapped to the client access level to determine which de-identification techniques will be applied. Deidentification techniques are then automatically applied and the data is released instantaneously. At this stage, strong risk management, performance management and governance practices are required to ensure compliance with privacy laws and regulations. Summary Our de-identification service development methodology follows a tried and tested approach that we have successfully applied to numerous past clients. Based on our experience in the healthcare sector, we have refined an approach to developing a de-identification service in three clearly structured phases: De-identification Business Architecture Design, Software Tool Selection, and Service Rollout. Each of these phases integrates industry best practices with organizational structures and processes, with a specific aim of designing a service best suited to each organization s context, goals, and culture. This contextualized approach, guided by the concept of de-identification maturity, enables organizations to develop a de-identification service that will ensure compliance with privacy legislation and regulations, lower privacy risk, and increase the volume, efficiency, and utility of data sharing.