Daniel Barth-Jones, Ann Waldo, Claire Manneh, Peter Dumont
Understanding data de-identification and associated safeguards that support compliance with HIPAA and GDPR is an increasingly important part of the requisite knowledge base for privacy and security lawyers and professionals. Having a precise understanding of when data is sufficiently de-identified to be out of scope for a particular privacy law is crucial. This workshop will provide a readily accessible primer for those without statistical or technical backgrounds on de-identification risk analyses and control methods that are used to meet HIPAA de-identification and GDPR pseudonymization and anonymization requirements. Recent progress in the technical ability to link de-identified data sets using cryptographic tokenization and linkage methods without exposing PHI or PII will be addressed. We’ll describe innovative ways in which tokenized linking and de-identification are already being used to generate valuable insights, ranging from COVID-19 follow-up research to studies linking oncology treatments to long-term real-world data, as well as explore potential future benefits. We’ll also explain little-discussed quirks in recent state law, such as the California ban on the re-identification of de-identified health data, and discuss the potential threats to medical research if non-harmonized definitions of de-identification, such as that in the ADPPA, are enacted into law.
Daniel Barth-Jones, Principal Privacy Expert, Privacy Hub by Datavant
Ann Waldo, Principal, Waldo Law Offices
Claire Manneh, Head of Provider Research, Datavant
Peter Dumont, CPO, Optum Labs
Readings: