Title: MA Approach to Confidential Data Release Balancing Need for Data with Privacy
1MA Approach to Confidential Data Release
Balancing Need for Data with Privacy
- Assessment Initiative/NAPHSIS Conference
- September 28, 2004
- Jim Ballin, JD, MPH
- Bruce B. Cohen, Ph.D.
- Massachusetts Department of Public Health
2Presentation Goals
- Provide overview for MA Confidentiality Policy
and Procedures
- Discuss Procedure 6 on research
- Describe the process in MA for access to
confidential data for research
3MA Confidentiality Policy and Procedures
- Serves as confidentiality policy required by
HIPAA for covered components of DPH
- Satisfies requirements under the MA Fair
Information Practices Act (FIPA)
- Documents DPHs longstanding practices related to
ensuring confidentiality of records
- Confidential Information encompasses protected
health information (HIPAA) and personal data
(FIPA)
4Overview of MA Confidentiality Policy and
Procedures
- Table of Contents
- Confidentiality Policy
- Glossary
- Administrative Requirements
- Sanctions for Breach of Confidentiality
- Use and Disclosure of Confidential Information
- Authorizations for the Use and Disclosure of
Confidential Information
- Responding to Subpoenas
- Research Requirements
- De-Identification, Limited Data Sets, and
Aggregate Data
5Overview of MA Confidentiality Policy and
Procedures (cont.)
- Public Records Release Standards for Documents
Containing Medical Information
- Verification of Individuals or Entities
Requesting Disclosure of Confidential
Information
- Security of Confidential Information
- Individual Rights Related to Confidential
Information
- Accounting of Disclosures
- Complaints Regarding the Use and Disclosure of
Confidential Information
- Notice of Privacy Practices (Covered Entity
only)
- Business Associate Agreement (Covered Entity
only)
- Designated Record Set (Covered Entity only)
6Procedure 6 on Research
- Defines research vs. public health practice
- Specifies requirements for Commissioner approval
under state law (MGL c. 111, 24A)
- Discusses application requirements, review
criteria, review process, and approval
conditions
- Outlines requirements for Institutional Review
Board (IRB) review
- Discusses requirements under HIPAA for research
involving data from covered entities
7Types of Data Requests
- Internal (MA DPH) and external requests for
confidential data for research
- Individual record data, aggregate data without
cell size suppression, and aggregate data with
cell size suppression
- Records relating to births, deaths, fetal deaths,
cancer, birth defects, substance abuse, lead
poisoning, and others
8Research Authorized by Commissioner of Public
Health
- Massachusetts law (M.G.L. c. 111, 24A) permits
the Commissioner of Public Health to authorize a
researcher to conduct a study that will
contribute to the reduction of morbidity and
mortality in MA - Approval from the Commissioner provides three
types of protection
- 1. All information collected as part of the
approved study shall be confidential (i.e.,
exempt from release under the public
records law)
9Research Authorized by Commissioner of Public
Health
- 2. Persons or institutions that provide
information to an approved researcher cannot be
held liable for damages for the release of
information and - 3. The information provided to an approved
researcher is not admissible as evidence in any
legal proceeding
10Criteria for Commissioner Approval
- MDPH has established minimum criteria for
approval of studies or research
- In general, studies must
- Lead to results that may reduce morbidity or
mortality in MA (statutory language)
- Have sufficient scientific basis to yield
meaningful results and
- Demonstrate adequate confidentiality and security
measures to ensure protection of the data.
11Requirement for RaDAR Review
- Research and Data Access Review (RaDAR) Committee
review is required for
- Research by MDPH staff/agents and
- Research involving access to confidential MDPH
data.
12RaDAR Committee
- Centralized process for reviewing and approving
applications
- RaDAR Coordinator
- RaDAR Committee 12-15 members including RaDAR
Chair, representatives from each Bureau, and
Legal, Policy and IRB
- Expertise in epidemiology, statistics, program
area (e.g., substance abuse, environmental
health), etc.
- RaDAR Committee reviews applications and makes
recommendations to the Commissioner whether to
approve or deny request for confidential data
- RaDAR Committee generally meets monthly
13RaDAR Review Process for External Applicants
- Process begins with researcher calling or writing
with request for data
- RaDAR Coordinator assesses request to determine
whether it is a request for confidential data for
research
- If not, data may be available by other means
(e.g., publicly available on MassCHIP, available
as de-identified data or a limited data set)
- If request is for confidential data for research,
RaDAR Coordinator e-mails researcher the
appropriate standardized application depending on
type of data requested - Researcher completes standardized application and
e-mails or mails back
14Application Questions
- Purposes
- Public health importance
- Project description (hypotheses, study design,
study groups, data collection methods, analytic
plan)
- Subject contact
- Security and storage procedures
- Individuals with data access
- Informed consent
- IRB reviews
- Blood, urine, tissue samples
- Data sources and data sets
- Follow-up with data subjects or data sources
- Linkage of individual records
- Data years
- Data format
- Data items and values
- Justifications for data items
- Planned publications
15RaDAR Review Process for External Applicants
(cont.)
- Primary reviewer from RaDAR Committee assigned to
each application to conduct preliminary review to
assess completeness
- Primary reviewer corresponds directly with
researcher to request clarifications, revisions,
or submission of missing information
- Application must be complete and include all
contact procedures, contact and consent forms,
survey instruments, IRB approvals, requested
variables with justification for each, and
resumes of researchers
16RaDAR Review Process for External Applicants
(cont.)
- Completed application is then put on next RaDAR
meeting agenda
- Committee reviews application and decides whether
to recommend to Commissioner to approve, approve
with special conditions, postpone decision until
further information is obtained, or deny
application
17Approval Conditions
- If RaDAR Committee recommends approval, RaDAR
Coordinator prepares Commissioner approval letter
containing standard and any special conditions
- Standard conditions address
- Compulsory legal process
- Limitations on data use
- Confidentiality
- Authorized data users
- Data destruction
- Publication review
- Annual renewal
18Final Approval
- Final approval letter is then reviewed and
approved by RaDAR Chair, Legal Office, and Policy
Office
- After these approvals, the letter is signed by
the Commissioner and sent to the applicant along
with a Pledge of Confidentiality for all
co-researchers to sign - Principal Investigator is required to sign
approval agreeing to all conditions and then
return to MDPH with signed Pledges of
Confidentiality before receiving data
19IRB Review
- MDPH has a federally approved IRB
- Under the terms of MDPHs IRB approval (its
Federal-Wide Assurance), the MDPH voluntarily
adopts compliance with the Common Rule for all
research conducted by MDPH staff and agents
20Requirement for MDPH IRB Review
- MDPH IRB review is generally required for
- Research conducted by MDPH staff/agents and
- Research involving MDPH data and moderate to high
risk to human subjects (e.g., studies involving
contact with subjects, biological sampling,
etc.)
21Impact of HIPAA on Research
- HIPAA did not significantly change review or
approval process for research at MDPH
- MDPH is a hybrid entity under HIPAA, but parts of
MDPH that maintain confidential data requested
for research are not covered components
- MDPH voluntarily adopted many of the HIPAA
standards for research
22Ongoing Issues and Challenges
- Resources RaDAR members and coordinator have
other responsibilities
- Time frame Process can take about 3 months to a
year (or longer) depending on application
- Re-release of data to secondary researchers
- Destruction of data provided and linked data
sets
- Contact procedures Existing policy involves
passive physician consent. New policy may
require initial contact be provided by MDPH
vendor and passive consent from data subject be
obtained before MDPH releases contact information
to researchers. Researcher would be required to
pay for vendors costs in providing initial
contact.
23Conclusion
- MDPH has developed comprehensive, written
procedures detailing the process for releasing
confidential data to researchers
- MDPH is committed to providing confidential data
to facilitate important public health research
while taking appropriate precautions to protect
the privacy rights of data subjects
24 - Guidelines for the release of de-identified
individual level and aggregate statistical data
- Massachusetts Department of Public Health
Confidentiality Policy and Procedures, Procedure
7
25Topics for todays discussion...
- Background and purpose of Procedure 7
- Individual de-identified data release covered
and non-covered components
- Aggregate data release for research non-covered
components
- issues
- historical health department approaches
- alternatives
- the MATRIX
- procedure 7
26Procedure 7 purpose and scope
- This procedure specifies standards under which
individual-level or aggregate data can be
disclosed if information that can identify a
person has been removed or restricted to a
limited data set. This procedure applies to both
covered and non-covered components of the
Department - Bureaus retain the discretion not to release data
that it believes risk identification of the data
subject.
- Aggregate data release standards may vary among
Bureaus and the discretion not to release any
particular aggregate data remains with the
individual Bureau - This procedure does not apply to disclosures of
unrestricted, identifiable vital record
information in accordance with applicable laws.
27Standards for Disclosure of Individual-Level
De-Identified Data
- Individual level data can be disclosed if
- meets de-identification standard or
- released as limited data set
- De-identification standard
- qualified statistician in Bureau reviews and
approves release and approved by MDPH Privacy
Office, or
- adheres to HIPAA safe harbor data element
standards
- Limited data set standard
- certain identifiers must be removed
- permitted uses and limitations require signed
agreement
- approval subject to RADAR review
- model MDPH agreement given
28Standards for Disclosure of Aggregate Data
- For covered components
- qualified statistician approval
- safe harbor
- For non-covered components
- any method approved for covered components
- numerator/denominator suppression the MATRIX
- numerator based suppression complementary
cells
- other Bureau standard that is at least as
restrictive as the above, explicitly documented
by Bureau, and approved by Privacy Officer
- Discretion and judgment based on sensitivity
always!
29What is the general context for MDPHs aggregate
data release policy?
- demand for small area data
- expanded access via electronic data release
- need for more consistent approach
- sensitivity to confidentiality of government data
and other concerns about privacy
- statutory responsibilities HIPAA
30What are the specific issues for states release
policies?
- How can we meet growing needs for small area
aggregate data while protecting confidentiality?
- Does releasing data affect our ability to collect
data?
- What assumptions can we make about additional
information that might identify individuals in
cells with small numbers?
- What are the legal requirements and
interpretations of state and federal laws?
- Should rules differ for hard copy and electronic
release?
31What has been historical practice?
- Informal/inconsistent whoever answers the
telephone makes the rule
- Numerator based rules commonly,
- Denominator based rules
- Geographic based rules
- Judgment based on content/sensitivity
- Statutory constraints and obligations
32Examples of historical rules in Massachusetts
- Data set Num, denom, geo Level
- Cancer incidence Num 1-4
- BRFSS Num 50 in cell/margin
- Hospital discharge Num 1-6
- Mortality None
- Births Mixed 1-4
- STDs Geog 1-4
- Substance abuse MIS Num 1-9
33Proposed MDPH rule the MATRIXcriteria
discussed
- Protects confidentiality of individuals
- Simple and clear
- Electronically implementable
- Flexible but consistent
34The Matrix approach
- Numerator AND denominator considered
- Cascading, iterative approach
- Numerator of preceding level of cross
classification becomes the denominator of next
detailed level to be considered for release of
data in that cell...
35MATRIX definitions
- For counts of health events (cases, diagnoses,
births, discharges, etc.), the denominator is
defined as the number of people with certain age,
sex, and race-ethnicity characteristics who live
in a particular place, are clients of a
particular program, or patients in a particular
facility.
36Matrix definitions
- For additional cross-classifications, the
denominator is defined as the number of events or
the numerator for the preceding
cross-classification or the population. - Numerator is the number of events--cases, births,
discharges, diagnoses, clients--being considered
for release
37Proposed MDPH rule the Matrix
- DENOM (D) NUMER (N) POLICY
-
- 29 Any value
- 10-29 0 or D-N 4 Release
- 10-29 0
- N,where D9 D, where N9 Review for release
-
- and complementary cells that allow for
calculation of numerator
38Example birth data request
- How many teen mothers received adequate PNC and
were covered by public insurance, by race, in
Town X?
- Step 1 teen births by race in Town X
- Step 2 teen births by race receiving adequate
prenatal care in Town X
- Step 3 insurance source for teen births by race
receiving adequate prenatal care in Town X
39Birth example step 1, teen mothers by race in
Town X
40Birth example step 1, teen mothers by race in
Town X
41Birth example step 1, teen mothers by race in
Town X
42Birth example step 1, teen mothers by race in
Town X
43Birth example step 2, teen mothers receiving
adequate PNC by race in Town X
44Birth example step 2, teen mothers receiving
adequate PNC by race in Town X
45Birth example step 2, teen mothers receiving
adequate PNC by race in Town X
46Birth example step 2, teen mothers receiving
adequate PNC by race in Town X
47Birth example step 3, payer source for teen
mothers receiving adequate PNC by race in Town X
48Birth example step 3, payer source for teen
mothers receiving adequate PNC by race in Town X
49The Matrix
- DENOM (D) NUMER (N) POLICY
-
- 29 Any value
- 10-29 0 or D-N 4 Release
- 10-29 0
- N,where D9 D, where N9 Review for release
-
- and complementary cells that allow for
calculation of numerator
50Alternative Numerator and Population Denominator
Rule Missouri Approach
- Numerator and Population Denominator Rule
- Data are not reported if the population is less
than a certain size and the number of events in a
cell is less than a certain size
- Assumption 1 There is a limited number of
persons with the same characteristics in a small
population where a table cell is small
- Assumption 2 It is unlikely one can identify
the diagnosis of a person if there are at least
10 other persons that had the same demographic
characteristics and had the same event (death,
birth, hospitalization, etc.)
51Missouri Numerator and Event Denominator Rule
- Numerator and Event Denominator Rule
- A table is not reported if a table cell
subtracted from the number of total events of the
same data file for the same characteristics
yields a small number (less than 10)
52Summary how does Procedure 7 work?
- Purpose standards for release of individual
level and aggregate data
- 1. Standards for individual level
releaseblessed by qualified statistician,
safe harbor, or limited data set, or Procedure 6
for research - 2.Standards for aggregate release
- a. for covered components blessed by
statistician or safe harbor
- b. for non-covered components most commonly
asked questions for data
53Standards for aggregate release for non-covered
components...
- 1. The Matrix numerator/denominator
suppression
- 2. Numerator based cell suppression typically
1-4 and any cell that would allow for calculation
of other cells with values 1-4
- 3. Alternative approved approaches that are at
least as restrictive
54Conclusions for aggregate data release
- State health departments should be developing
guidelines/standards for release of aggregate
data, particularly for general information
release in non-covered components of health
departments - Criteria for release should be explicit and
consistent across data sets
- Rules need to be flexible purpose of data
collection may necessitate using different rules
- MDPH has developed a set of options to meet the
needs of different programs and requires explicit
selection by Bureau of its standard
55Contact Information
- Jim Ballin
- Deputy General Counsel, Department of Public
Health
- 250 Washington Street, 2nd Floor, Boston, MA
02108
- 617-624-5220, 617-624-5234 (fax),
james.ballin_at_state.ma.us
- Bruce Cohen
- Co-director, Center for Health Information and
Statistics, MDPH
- 2 Boylston St, 6th floor, Boston, MA 02116
- 617-988-3388, 617-988-3280 (fax)
bruce.cohen_at_state.ma.us