+ Welcome to IHE ITI De-Identification Guidance for Family - - PDF document

Slide 1

+

Welcome to IHE ITI

De-Identification Guidance for Family Planning

FPAR2.0@hhs.gov

Welcome to today’s webinar on the de-identification guidance OPA is developing for the family planning profile in partnership with Integrating the Healthcare Enterprise. I’m Christina Lachance, Public Health Advisor at the Office of Population Affairs and the staffer who’s been in charge of leading the effort to revise the Family Planning Annual Report since 2012. As you may know, this work is directly connected to OPA’s efforts to revise FPAR to be interoperable with electronic health records systems. This is why privacy and security work is especially important to consider as we move this project

• forward. We are thrilled you could take the time to join us today. We hope this that this

will give you an idea of what to expect from the committee work that we are launching and entice you to partner with us.

Slide 2

+

2

Christina Johanna Lauren Gila

We thought it’d be helpful for you to have a picture of who was talking to you today. Christina Lachance is the public health advisor and Health IT Team Lead for FPAR 2.0. Johanna Goderre is the Senior Health Informatics Advisor and technical lead for the Health IT Team. Lauren Corboy is an ORISE Fellow with the OPA Health IT Team. She manages the team’s social media work, and has been working in the health IT field for about 2.5 years. Gila Pyke is today’s guest star as the co-chair of the IHE ITI technical committee that is leading this effort and is a Privacy and Security consultant working in the Health IT space and helping with the FPAR 2.0 privacy and security roadmap.

Slide 3

+You’re in the right place if you…

 Are invested in helping OPA create the future of FPAR  Want to impact the Family Planning Technical Profile that will

be implementable by any EHR vendor (both in and outside Title X)

 Become the go-to person in your organization for knowing the

nitty-gritty of FPAR 2.0

 Want to be at the table to help OPA make critical decisions

about data elements that might be challenging from a privacy and security perspective

 Care about the privacy and security of data within your

• rganization

3

If any of these statements describe your reason for showing up here today, then you are in the right place! BENEFITS OF PARTICIPATION – become the go to person in your organization for FPAR 2.0, gain hands-on knowledge of the Privacy and Security roadmap and de- Identification methodology and become a champion for privacy and security. IF for some reason there is a challenge with one of these data elements, you will be at the table to help make the decision on what happens with this data in the future

Slide 4

+FPAR 2.0 Privacy and Security Roadmap

http://opahit.sites.usa.gov/

4

Assess Plan Design

Implement

Deploy

Phases Activities

Establish grantee reporting and privacy and security capacity Draft grantee privacy and security governance model

Milestones

Select De- Identification algorithm Hosting System configuration Training and Awareness Identify target information inventory Agreement on Privacy and Security roadmap Perform Conceptual PIA and TRA Conceptual PIA and TRA and risk mitigation plan Design FPAR 2.0 architecture based

• n Conceptual PIA

and TRA and planned safeguards Delta PIA and TRA

• f FPAR 2.0 design

Define Privacy and Security obligations for data sharing agreement Privacy and Security communication and training strategy Delta PIA and TRA on physical architecture, including vulnerability assessment (VA) Signed NGA and DSA components Updated configurations post- VA acceptance Communication and training strategy User provisioning Other activities as defined by updated PIA and TRA mitigation plans Maintenance strategy approved Go-Live! First reports collected Program performance plans established Identify target data flows Identify target provider and system actors Identify target privacy and security requirements per actor Updated P+S Roadmap and requirements Identify de- identification requirements and

• ptions

FPAR 2.0 privacy and security risk mitigation plan update Approved DSA integrated into NGA Privacy and Security questions incorporated into FPAR 2.0 feasibility questionnaire Privacy and Security plan reviewed by legal counsel Create detailed program instructions and supporting toolkit Privacy and Security capacity improvement

Just a reminder that the privacy and security roadmap has been discussed in 2 blog posts and there is more information on the blog here: http://opahit.sites.usa.gov/2015/02/17/privacy-and-security-for-fpar-2-0/ This lays out what we need to accomplish to ensure that all the privacy and security building blocks are in place to enable the benefits of complex data sharing among the diverse stakeholders in the FPAR 2.0 community. Privacy and Security safeguards at the administrative, technical and physical levels are all needed to reduce the risk of potential harm to our clients. We want to do everything we can to reduce the potential for the breaches or misuse of data that you hear so much about in the news

• nowadays. There are a lot of steps involved!

Slide 5

+How this work relates to FPAR 2.0

 The data elements in the FP Profile will satisfy the FPAR 2.0

reporting requirements and feed QFP-related performance measures

 Enable us to return clinically relevant metrics back to the network  Vision: Promote the adoption of these metrics outside of Title X

0% 10% 20% 30% 40% 50% 60% 70%

2010 2014 2010 2014 2010 2014 2010 2014

My performance My site My network National  Protecting client privacy is a cornerstone of the success of FPAR 2.0 5

This shows the long term goal of FPAR 2.0 – giving everyone back metrics that are clinically-relevant and interpretable at all levels of the Title X network. We are also working in collaboration with measure endorsement organizations, like NQF, to have some of our FPAR 2.0 measures adopted for use beyond Title X in any setting where family planning care is delivered.

Slide 6

+Today’s Objectives

By the end of this orientation, you will be able to:

 Communicate to your peers about IHE and the IHE

ITI De-Identification for Family Planning effort

 Participate actively in teleconference discussions to

select de-identification guidance for Family Planning data

 Find the resources and information you need to

participate in this effort

6

People describe first 6 months of standards work as drinking through a fire hose. The purpose of this webinar is to try to ease that a little and give you enough information to help you understand what to expect, how to participate, and where to find the info that you need or know who to ask question to. EVERYONE IS WELCOME TO PARTICIPATE!

Slide 7

+What is IHE ITI

http://www.ihe.net

 IHE International is an initiative by healthcare professionals

and industry to improve the way computer systems in healthcare share information.

 IHE is composed of 12 domains, responsible for the

development and maintenance of IHE Technical Frameworks.

7

Anatomic Pathology Cardiology Dental Eye Care IT Infrastructure Laboratory Patient Care Coordination Patient Care Devices Pharmacy Quality, Research and Public Health Radiation Oncology Radiology

IHE promotes the coordinated use of established standards to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively. IHE is a public collaboration – anyone can participate and lend their expertise. The domains most relevant for the work OPA is doing with the family planning profile are QRPH and ITI ITI is the committee responsible for defining INTEROPERABILITY, including how to transmit data between systems, as well as the privacy and security components of ensuring trust and safety of sensitive data

Slide 8

+What is De-Identification for Family Planning

 IHE Family Planning (FP) profile published in 2014 references

use of highly sensitive data elements

 FP data elements are needed for clinical purposes, but we

want to use a less identifiable set of data for reporting and

• ther purposes

 Privacy principles, and various regulations require that

sensitive data be treated according to several principles, including a minimization principle that requires that only the minimum necessary data needed for the purpose at hand be

• used. This can be achieved through de-identification of the

Family Planning data set. The purpose of developing De-Identification Guidance for Family Planning effort is to determine the optimal methods and algorithms that should be used for the FP data set.

8

Last year, the IHE Family Planning profile referenced the use of sensitive data elements that any type of provider or health system might need to calculate important reproductive health performance

• measures. The profile was written to be widely applicable to different healthcare settings. Title X

reporting, however, would not need that much detail. In order to protect information about family planning clients, we can propose methods to remove individually identifiable information in an encounter-level

• report. In other words, we can reduce the risk that someone could figure out the true identity of a client

using that report before sending it to the future FPAR 2.0 repository. This process is commonly called de- identification. HIPAA requires clinical services providers to protect sensitive information documented during a typical family planning healthcare visit in several ways. For example, you need to keep it safe in transit (i.e. you should digitally encrypt an electronic form before sending it to someone else or you should place a paper form in a sealed envelope and mail it through a bonded courier). Additionally, if something goes wrong, you should have a method for documenting and investigating what happened so you can prevent it in the future (i.e., an audit trail). HIPAA also stipulates that covered entities should use methods to ensure that

• nly the right people have access to sensitive information (e.g., staff who possess the proper credentials

and training, and have “a need to know”, called access controls). Even with all these safeguards in place, however, sharing sensitive information from a family planning visit may still pose a risk to the client. OPA is therefore committed to providing guidance to ensure that FPAR 2.0 data are as fully protected as possible. A key element of Privacy Design, and a concept that the HIPAA privacy rule calls the “Minimum Necessary Requirement,” is to limit the information that you share to only that which is strictly necessary. This is often done either by removing elements that are not strictly necessary for the recipient to be able to use the data (for the purpose for which the data was shared), or by finding other methods to de-identify the data. This way, even if the information was intercepted, broken into, and decrypted, the ability to identify the client would be minimal. Since not all client-level information collected in the course of a family planning visit is necessary for FPAR 2.0 reporting or performance measure purposes, there is great opportunity to reduce risk through the application of simple but effective de-identification techniques.

Slide 9

Facility Provider Wellness Now 123 Main Street Muncie, IN 47383 Carrie Provider, NP 123-456-789-3 Patient Identifier & Name Sex Date of Birth HYY - 14 - 771

• Female

09/22/1991 Ginny Testcase ⃝ Male Ethnicity Race (check all that apply)

• Hispanic or Latina/o

☐ American Indian /

Alaska Native

☐ Native Hawaiian or

Other Pacific Islander ⃝ Not Hispanic or Latina/o

☐ Asian

▪ White

☐ Black / African American

Annual Household Income Insurance Coverage $ 42 , 786 ⃝ No insurance ⃝ Veteran/military Household Size ⃝ Medicaid ⃝ Other public 2

• Self-pay

⃝ Private/group Limited Language Proficiency (English) Visit Date ⃝ Medicare ⃝ Yes 01/12/2014 ⃝ CHIP

• No

Height Blood Pressure Smoking Status 180.73 ● cm Systolic ⃝ Never ⃝ Smoker, unknown current 140

• Former smoker

⃝ Unknown if ever smoked Weight Diastolic ⃝ Current every day ⃝ Heavy 95.2 ● kg 106 ⃝ Current some day ⃝ Light 9

This is an example of how identifiers in our sample FPAR 2.0 form could be masked or de-identified. See the following slides.

Slide 10

Facility Provider Wellness Now 123 Main Street Muncie, IN 47383 Carrie Provider, NP 123-456-789-3 Patient Identifier & Name Sex Date of Birth HYY - 14 - 771

• Female

09/22/1991 Ginny Testcase ⃝ Male Ethnicity Race (check all that apply)

• Hispanic or Latina/o

☐ American Indian /

Alaska Native

☐ Native Hawaiian or

Other Pacific Islander ⃝ Not Hispanic or Latina/o

☐ Asian

▪ White

☐ Black / African American

Annual Household Income Insurance Coverage $ 42 , 786 ⃝ No insurance ⃝ Veteran/military Household Size ⃝ Medicaid ⃝ Other public 2

• Self-pay

⃝ Private/group Limited Language Proficiency (English) Visit Date ⃝ Medicare ⃝ Yes 01/12/2014 ⃝ CHIP

• No

Height Blood Pressure Smoking Status 180.73 ● cm Systolic ⃝ Never ⃝ Smoker, unknown current 140

• Former smoker

⃝ Unknown if ever smoked Weight Diastolic ⃝ Current every day ⃝ Heavy 95.2 ● kg 106 ⃝ Current some day ⃝ Light Anonymized ID, grantee & OPA know link 10

The facility identifier can be extremely identifying of an individual patient, but is also very necessary for longitudinal studies. For de-Identification purposes, we know we can’t delete it so the best path forward would be to find a way to replace the identifier with a number that is only known to the grantee and perhaps OPA but is otherwise undiscoverable to other users of the data.

Slide 11

Facility Provider Wellness Now 123 Main Street Muncie, IN 47383 Carrie Provider, NP 123-456-789-3 Patient Identifier & Name Sex Date of Birth HYY - 14 - 771

• Female

09/22/1991 Ginny Testcase ⃝ Male Ethnicity Race (check all that apply)

• Hispanic or Latina/o

☐ American Indian /

Alaska Native

☐ Native Hawaiian or

Other Pacific Islander ⃝ Not Hispanic or Latina/o

☐ Asian

▪ White

☐ Black / African American

Annual Household Income Insurance Coverage $ 42 , 786 ⃝ No insurance ⃝ Veteran/military Household Size ⃝ Medicaid ⃝ Other public 2

• Self-pay

⃝ Private/group Limited Language Proficiency (English) Visit Date ⃝ Medicare ⃝ Yes 01/12/2014 ⃝ CHIP

• No

Height Blood Pressure Smoking Status 180.73 ● cm Systolic ⃝ Never ⃝ Smoker, unknown current 140

• Former smoker

⃝ Unknown if ever smoked Weight Diastolic ⃝ Current every day ⃝ Heavy 95.2 ● kg 106 ⃝ Current some day ⃝ Light Anonymized ID, grantee holds link Anonymized ID, grantee & OPA know link 11

Similarly, the provider ID is extremely identifying, but may be valuable for longitudinal

• studies. In this case, it may be best for the facility or grantee to replace the ID with a

random value before sharing it externally or with OPA.

Slide 12

Facility Provider Wellness Now 123 Main Street Muncie, IN 47383 Carrie Provider, NP 123-456-789-3 Patient Identifier & Name Sex Date of Birth HYY - 14 - 771

• Female

09/22/1991 Ginny Testcase ⃝ Male Ethnicity Race (check all that apply)

• Hispanic or Latina/o

☐ American Indian /

Alaska Native

☐ Native Hawaiian or

Other Pacific Islander ⃝ Not Hispanic or Latina/o

☐ Asian

▪ White

☐ Black / African American

Annual Household Income Insurance Coverage $ 42 , 786 ⃝ No insurance ⃝ Veteran/military Household Size ⃝ Medicaid ⃝ Other public 2

• Self-pay

⃝ Private/group Limited Language Proficiency (English) Visit Date ⃝ Medicare ⃝ Yes 01/12/2014 ⃝ CHIP

• No

Height Blood Pressure Smoking Status 180.73 ● cm Systolic ⃝ Never ⃝ Smoker, unknown current 140

• Former smoker

⃝ Unknown if ever smoked Weight Diastolic ⃝ Current every day ⃝ Heavy 95.2 ● kg 106 ⃝ Current some day ⃝ Light Anonymized ID, grantee holds link Calculate age at visit date, report in age category 20-24 Anonymized ID, grantee & OPA know link 12

Birthdates are very unique to the individual, and that level of detail may not be needed for research purposes. Generalizing the actual birthday to the age, or even to the age within a range/category may be sufficient for the purposes at hand and will be far less identifying of an individual.

Slide 13

+Discussion goals

Balance two conflicting perspectives:

Discussion Process

 Perform at least 2 passes through the entire list of data elements,

refining with each pass Family Planning subject matter expert

• keep as many data elements as

possible–as close to the

• riginal value as possible
• to fulfill reporting requirements

and performance metrics Security and Privacy subject matter expert

• apply the most restrictive

algorithm possible to limit the detail in any given data element

• thereby safeguard the overall

data set as much as possible

13

The process is going to involve fighting the privacy and security person’s tendency to want to redact everything, and the clinical person’s tendency to want to have the most data possible to base decisions on, and go around and around until everyone is only a little bit uncomfortable.

Slide 14

+What to expect

 Webex Conference calls (~2 per month) involve walking

through the document together in detail

 Use Webex chat function as a backchannel if you’re unsure

about a question, or want to share a link with the group

 5-20 people on average participate in the call (depending on

you!)

 Each call will review up to 5 data elements, their purpose for

collecting those elements, and answer a series of detailed questions to identify optimal de-Identification algorithms for each one.

 JUMP IN when the discussion involves data that you have

experience with or care about

 Tell us what MAY or MAY NOT work! 14

A small group of people have already started this and we’ve worked out the parts that are a little tedious such as the structure and logistics, that way when we start the calls next week we can jump right into getting your best feedback. For those who want an advanced look at the document so far, you can find it on the IHE FTP site here: ftp://ftp.ihe.net/IT_Infrastructure/iheitiyr13-2015- 2016/Technical_Cmte/Workitems/DeIndentification%20of%20Family%20Planning

Slide 15

+Time Commitment

Effort targeted to run March – October 2015 2 ways to participate:

 Track 1: Adviser (March – July 2015)

Participate in a 1 – 1.5 hour teleconference discussion about 2 times per month on the purpose and requirements for each family planning data element as well as occasional review of the draft guidance.

 Track 2: Reviewer (March – October 2015)

Provide written comments during 2-3 substantive review cycles of the guidance for quality, relevance, and correctness.

Everyone is a local champion!

15

Slide 16

+Where to find stuff

 http://ihe.net/IT_Infrastructure/ for more information on the IHE

ITI committee

 http://ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_Handbook_

De-Identification_Rev1.1_2014-06-06.pdf on the process and methodology for de-Identification that will be used

 http://ihe.net/uploadedFiles/Documents/QRPH/IHE_QRPH_Su

ppl_FP.pdf for information on the Family Planning data set that will be de-identified using the handbook linked above

16

Slide 17

+How do I participate

 Email your name to Lauren Corboy at FPAR2.0@hhs.gov by

COB MONDAY (March 9,2015)!

 If you think of other folks who should be participating in your

stead, please reach out to them quickly and send them this link to get them involved: https://opahit.sites.usa.gov/2015/02/23/privacy-and-security-for- fpar-2-0-part-2-de-identification-a-request-for-your-help/

 Accept and attend the teleconference invitation  Orient yourselves with the Family Planning profile and De-

Identification Whitepaper

 Email Gila (gila@cogna.ca) with IHE questions

DIVE IN!

17

We need people who know family planning and have some privacy and security experience in Title X settings to help with either of the two tracks. Please email FPAR2.0@hhs.gov to let us know you’d like to participate!

Slide 18

+QUESTIONS

?

See notes

18

Questions posed and OPA’s responses: Q: Can you please define FPAR and deidentification

• A. FPAR = Familiy Planning Annual Report http://www.hhs.gov/opa/title-x-family-

planning/research-and-data/fp-annual-reports/ Q: Is there a place in this work for people who don;t speak IT?

• A. Yes! Absolutely! We will definitely address this question and it is a good one. Thank

you! Q: Could you discuss what the privacy and security issues might be with clinically specific items? Like what services were provided or what tests were done? Are we just concerned about the things usually related to PHI (age, race, location,etc.) or is there more? A: We talked through an example of how the data could be used to re-identify a patient and how what we’re trying to do will put protections in place to make the possibility of a breach less likely to occur. Q: Are these committee tracks open to grantees only or could a grantee appoint a sub- recipient staff person as well? A: All are welcome – folks on the ground working in clinics have vital experience to inform this work.

Q: Is this de-identification end outcome/purpose to be one that is IRON CLAD, even to beat the breach of securities experienced by Banks and Credit Cards??? A: This is complicated and nothing is 100% secure, but this work will put protections in place to make the possibility of a breach less likely to occur following industry standards. Q: Are these advisor and reviewers going for our regional privacy security protocols or Federal HIPAA security, because state laws are different? A: Having folks on the committee who are savvy regarding regional or state-level privacy laws would be incredibly helpful. We have many HIPAA experts represented, but realize that there is much variability state to state. Having that input now will help us build a stronger FPAR 2.0. Q: Can advisors/reviewers join the working group on an ongoing basis or is march 6th the deadline for joining? A: We have extended the deadline to March 9th, but the meetings are public and open to anyone so folks can join later if needed or just commit to the reviewer track, which is as critical as the biweekly calls.