July 2019 –The Massachusetts Center for Health Information and Analysis (CHIA) selected Onpoint as the consultant and data management contractor for their recent de-identification of protected health information (PHI) project, which was undertaken to ensure continued, comprehensive access to the state’s all-payer claims database (APCD) while ensuring that privacy safeguards are effectively addressed.
Onpoint collaborated with Bradley Malin, PhD, Professor of Biomedical Informatics and Vice Chair for Research Affairs at Vanderbilt University, to develop a PHI de-identification model to meet CHIA’s needs. Dr. Malin provided the statistical methodology and expertise necessary to certify that the data was not individually identifiable. The Massachusetts APCD, which includes data from commercial payers, third-party administrators, Medicaid, and Medicare, is used by providers, payers, researchers, and consumers to achieve a variety of healthcare improvement and research goals. CHIA, the steward of the MA APCD, selected Onpoint and Dr. Malin to create a model that meets HIPAA compliant de-identification standards while still providing an accurate, robust, and useful data set for MA APCD users.
The project team carefully assessed data fields in terms of their identifiability and followed an iterative process of risk analysis that balanced the need for a data model that successfully retained the most relevant fields while achieving an acceptable level of risk. The de-identification model developed by the Onpoint team in close collaboration with CHIA is a HIPAA-compliant alternative to the more widely used Safe Harbor method of de-identification. This Expert Determination approach masks data only if it is determined that releasing such information while retaining other identifiers, on a per-patient basis, introduces a threshold of risk that the information could potentially be linked to an individual by the anticipated data recipient(s).
The resulting MA APCD data set meets the requirements of the de-identification standard set forth in the HIPAA Privacy Rule, demonstrating the ability of an APCD program to successfully balance data sensitivity and patient privacy with the need to deliver a functional and useful robust data set to end users.