MA Approach to Confidential Data Release Balancing Need for Data with Privacy

1
MA Approach to Confidential Data Release
Balancing Need for Data with Privacy

• Assessment Initiative/NAPHSIS Conference
• September 28, 2004
• Jim Ballin, JD, MPH
• Bruce B. Cohen, Ph.D.
• Massachusetts Department of Public Health

2
Presentation Goals

• Provide overview for MA Confidentiality Policy
  and Procedures
  
• Discuss Procedure 6 on research
• Describe the process in MA for access to
  confidential data for research
  

3
MA Confidentiality Policy and Procedures

• Serves as confidentiality policy required by
  HIPAA for covered components of DPH
  
• Satisfies requirements under the MA Fair
  Information Practices Act (FIPA)
  
• Documents DPHs longstanding practices related to
  ensuring confidentiality of records
  
• Confidential Information encompasses protected
  health information (HIPAA) and personal data
  (FIPA)

4
Overview of MA Confidentiality Policy and
Procedures

• Table of Contents
• Confidentiality Policy
• Glossary
• Administrative Requirements
• Sanctions for Breach of Confidentiality
• Use and Disclosure of Confidential Information
• Authorizations for the Use and Disclosure of
  Confidential Information
  
• Responding to Subpoenas
• Research Requirements
• De-Identification, Limited Data Sets, and
  Aggregate Data

5
Overview of MA Confidentiality Policy and
Procedures (cont.)

• Public Records Release Standards for Documents
  Containing Medical Information
  
• Verification of Individuals or Entities
  Requesting Disclosure of Confidential
  Information
  
• Security of Confidential Information
• Individual Rights Related to Confidential
  Information
  
• Accounting of Disclosures
• Complaints Regarding the Use and Disclosure of
  Confidential Information
  
• Notice of Privacy Practices (Covered Entity
  only)
  
• Business Associate Agreement (Covered Entity
  only)
  
• Designated Record Set (Covered Entity only)

6
Procedure 6 on Research

• Defines research vs. public health practice
• Specifies requirements for Commissioner approval
  under state law (MGL c. 111, 24A)
  
• Discusses application requirements, review
  criteria, review process, and approval
  conditions
  
• Outlines requirements for Institutional Review
  Board (IRB) review
  
• Discusses requirements under HIPAA for research
  involving data from covered entities

7
Types of Data Requests

• Internal (MA DPH) and external requests for
  confidential data for research
  
• Individual record data, aggregate data without
  cell size suppression, and aggregate data with
  cell size suppression
  
• Records relating to births, deaths, fetal deaths,
  cancer, birth defects, substance abuse, lead
  poisoning, and others

8
Research Authorized by Commissioner of Public
Health

• Massachusetts law (M.G.L. c. 111, 24A) permits
  the Commissioner of Public Health to authorize a
  researcher to conduct a study that will
  contribute to the reduction of morbidity and
  mortality in MA
• Approval from the Commissioner provides three
  types of protection
  
• 1. All information collected as part of the
  approved study shall be confidential (i.e.,
  exempt from release under the public
  records law)

9
Research Authorized by Commissioner of Public
Health

• 2. Persons or institutions that provide
  information to an approved researcher cannot be
  held liable for damages for the release of
  information and
• 3. The information provided to an approved
  researcher is not admissible as evidence in any
  legal proceeding

10
Criteria for Commissioner Approval

• MDPH has established minimum criteria for
  approval of studies or research
  
• In general, studies must
• Lead to results that may reduce morbidity or
  mortality in MA (statutory language)
  
• Have sufficient scientific basis to yield
  meaningful results and
  
• Demonstrate adequate confidentiality and security
  measures to ensure protection of the data.

11
Requirement for RaDAR Review

• Research and Data Access Review (RaDAR) Committee
  review is required for
  
• Research by MDPH staff/agents and
• Research involving access to confidential MDPH
  data.

12
RaDAR Committee

• Centralized process for reviewing and approving
  applications
  
• RaDAR Coordinator
• RaDAR Committee 12-15 members including RaDAR
  Chair, representatives from each Bureau, and
  Legal, Policy and IRB
  
• Expertise in epidemiology, statistics, program
  area (e.g., substance abuse, environmental
  health), etc.
  
• RaDAR Committee reviews applications and makes
  recommendations to the Commissioner whether to
  approve or deny request for confidential data
  
• RaDAR Committee generally meets monthly

13
RaDAR Review Process for External Applicants

• Process begins with researcher calling or writing
  with request for data
  
• RaDAR Coordinator assesses request to determine
  whether it is a request for confidential data for
  research
  
• If not, data may be available by other means
  (e.g., publicly available on MassCHIP, available
  as de-identified data or a limited data set)
  
• If request is for confidential data for research,
  RaDAR Coordinator e-mails researcher the
  appropriate standardized application depending on
  type of data requested
• Researcher completes standardized application and
  e-mails or mails back

14
Application Questions

• Purposes
• Public health importance
• Project description (hypotheses, study design,
  study groups, data collection methods, analytic
  plan)
  
• Subject contact
• Security and storage procedures
• Individuals with data access
• Informed consent
• IRB reviews

• Blood, urine, tissue samples
• Data sources and data sets
• Follow-up with data subjects or data sources
• Linkage of individual records
• Data years
• Data format
• Data items and values
• Justifications for data items
• Planned publications

15
RaDAR Review Process for External Applicants
(cont.)

• Primary reviewer from RaDAR Committee assigned to
  each application to conduct preliminary review to
  assess completeness
  
• Primary reviewer corresponds directly with
  researcher to request clarifications, revisions,
  or submission of missing information
  
• Application must be complete and include all
  contact procedures, contact and consent forms,
  survey instruments, IRB approvals, requested
  variables with justification for each, and
  resumes of researchers

16
RaDAR Review Process for External Applicants
(cont.)

• Completed application is then put on next RaDAR
  meeting agenda
  
• Committee reviews application and decides whether
  to recommend to Commissioner to approve, approve
  with special conditions, postpone decision until
  further information is obtained, or deny
  application

17
Approval Conditions

• If RaDAR Committee recommends approval, RaDAR
  Coordinator prepares Commissioner approval letter
  containing standard and any special conditions
  
• Standard conditions address
• Compulsory legal process
• Limitations on data use
• Confidentiality
• Authorized data users
• Data destruction
• Publication review
• Annual renewal

18
Final Approval

• Final approval letter is then reviewed and
  approved by RaDAR Chair, Legal Office, and Policy
  Office
  
• After these approvals, the letter is signed by
  the Commissioner and sent to the applicant along
  with a Pledge of Confidentiality for all
  co-researchers to sign
• Principal Investigator is required to sign
  approval agreeing to all conditions and then
  return to MDPH with signed Pledges of
  Confidentiality before receiving data

19
IRB Review

• MDPH has a federally approved IRB
• Under the terms of MDPHs IRB approval (its
  Federal-Wide Assurance), the MDPH voluntarily
  adopts compliance with the Common Rule for all
  research conducted by MDPH staff and agents

20
Requirement for MDPH IRB Review

• MDPH IRB review is generally required for
• Research conducted by MDPH staff/agents and
• Research involving MDPH data and moderate to high
  risk to human subjects (e.g., studies involving
  contact with subjects, biological sampling,
  etc.)

21
Impact of HIPAA on Research

• HIPAA did not significantly change review or
  approval process for research at MDPH
  
• MDPH is a hybrid entity under HIPAA, but parts of
  MDPH that maintain confidential data requested
  for research are not covered components
  
• MDPH voluntarily adopted many of the HIPAA
  standards for research

22
Ongoing Issues and Challenges

• Resources RaDAR members and coordinator have
  other responsibilities
  
• Time frame Process can take about 3 months to a
  year (or longer) depending on application
  
• Re-release of data to secondary researchers
• Destruction of data provided and linked data
  sets
  
• Contact procedures Existing policy involves
  passive physician consent. New policy may
  require initial contact be provided by MDPH
  vendor and passive consent from data subject be
  obtained before MDPH releases contact information
  to researchers. Researcher would be required to
  pay for vendors costs in providing initial
  contact.

23
Conclusion

• MDPH has developed comprehensive, written
  procedures detailing the process for releasing
  confidential data to researchers
  
• MDPH is committed to providing confidential data
  to facilitate important public health research
  while taking appropriate precautions to protect
  the privacy rights of data subjects

24

• Guidelines for the release of de-identified
  individual level and aggregate statistical data
  
• Massachusetts Department of Public Health
  Confidentiality Policy and Procedures, Procedure
  7
  

25
Topics for todays discussion...

• Background and purpose of Procedure 7
• Individual de-identified data release covered
  and non-covered components
  
• Aggregate data release for research non-covered
  components
  
• issues
• historical health department approaches
• alternatives
• the MATRIX
• procedure 7

26
Procedure 7 purpose and scope

• This procedure specifies standards under which
  individual-level or aggregate data can be
  disclosed if information that can identify a
  person has been removed or restricted to a
  limited data set. This procedure applies to both
  covered and non-covered components of the
  Department
• Bureaus retain the discretion not to release data
  that it believes risk identification of the data
  subject.
  
• Aggregate data release standards may vary among
  Bureaus and the discretion not to release any
  particular aggregate data remains with the
  individual Bureau
• This procedure does not apply to disclosures of
  unrestricted, identifiable vital record
  information in accordance with applicable laws.
  

27
Standards for Disclosure of Individual-Level
De-Identified Data

• Individual level data can be disclosed if
• meets de-identification standard or
• released as limited data set
• De-identification standard
• qualified statistician in Bureau reviews and
  approves release and approved by MDPH Privacy
  Office, or
  
• adheres to HIPAA safe harbor data element
  standards
  
• Limited data set standard
• certain identifiers must be removed
• permitted uses and limitations require signed
  agreement
  
• approval subject to RADAR review
• model MDPH agreement given

28
Standards for Disclosure of Aggregate Data

• For covered components
• qualified statistician approval
• safe harbor
• For non-covered components
• any method approved for covered components
• numerator/denominator suppression the MATRIX
• numerator based suppression complementary
  cells
  
• other Bureau standard that is at least as
  restrictive as the above, explicitly documented
  by Bureau, and approved by Privacy Officer
  
• Discretion and judgment based on sensitivity
  always!
  

29
What is the general context for MDPHs aggregate
data release policy?

• demand for small area data
• expanded access via electronic data release
• need for more consistent approach
• sensitivity to confidentiality of government data
  and other concerns about privacy
  
• statutory responsibilities HIPAA

30
What are the specific issues for states release
policies?

• How can we meet growing needs for small area
  aggregate data while protecting confidentiality?
  
• Does releasing data affect our ability to collect
  data?
  
• What assumptions can we make about additional
  information that might identify individuals in
  cells with small numbers?
  
• What are the legal requirements and
  interpretations of state and federal laws?
  
• Should rules differ for hard copy and electronic
  release?
  

31
What has been historical practice?

• Informal/inconsistent whoever answers the
  telephone makes the rule
  
• Numerator based rules commonly,
• Denominator based rules
• Geographic based rules
• Judgment based on content/sensitivity
• Statutory constraints and obligations

32
Examples of historical rules in Massachusetts

• Data set Num, denom, geo Level
• Cancer incidence Num 1-4
• BRFSS Num 50 in cell/margin
• Hospital discharge Num 1-6
• Mortality None
• Births Mixed 1-4
• STDs Geog 1-4
• Substance abuse MIS Num 1-9

33
Proposed MDPH rule the MATRIXcriteria
discussed

• Protects confidentiality of individuals
• Simple and clear
• Electronically implementable
• Flexible but consistent

34
The Matrix approach

• Numerator AND denominator considered
• Cascading, iterative approach
• Numerator of preceding level of cross
  classification becomes the denominator of next
  detailed level to be considered for release of
  data in that cell...

35
MATRIX definitions

• For counts of health events (cases, diagnoses,
  births, discharges, etc.), the denominator is
  defined as the number of people with certain age,
  sex, and race-ethnicity characteristics who live
  in a particular place, are clients of a
  particular program, or patients in a particular
  facility.

36
Matrix definitions

• For additional cross-classifications, the
  denominator is defined as the number of events or
  the numerator for the preceding
  cross-classification or the population.
• Numerator is the number of events--cases, births,
  discharges, diagnoses, clients--being considered
  for release
  

37
Proposed MDPH rule the Matrix

• DENOM (D) NUMER (N) POLICY
• 29 Any value
• 10-29 0 or D-N 4 Release
• 10-29 0
• N,where D9 D, where N9 Review for release
• and complementary cells that allow for
  calculation of numerator
  

38
Example birth data request

• How many teen mothers received adequate PNC and
  were covered by public insurance, by race, in
  Town X?
  
• Step 1 teen births by race in Town X
• Step 2 teen births by race receiving adequate
  prenatal care in Town X
  
• Step 3 insurance source for teen births by race
  receiving adequate prenatal care in Town X

39
Birth example step 1, teen mothers by race in
Town X

40
Birth example step 1, teen mothers by race in
Town X

41
Birth example step 1, teen mothers by race in
Town X

42
Birth example step 1, teen mothers by race in
Town X

43
Birth example step 2, teen mothers receiving
adequate PNC by race in Town X
44
Birth example step 2, teen mothers receiving
adequate PNC by race in Town X
45
Birth example step 2, teen mothers receiving
adequate PNC by race in Town X
46
Birth example step 2, teen mothers receiving
adequate PNC by race in Town X
47
Birth example step 3, payer source for teen
mothers receiving adequate PNC by race in Town X
48
Birth example step 3, payer source for teen
mothers receiving adequate PNC by race in Town X
49
The Matrix

• DENOM (D) NUMER (N) POLICY
• 29 Any value
• 10-29 0 or D-N 4 Release
• 10-29 0
• N,where D9 D, where N9 Review for release
• and complementary cells that allow for
  calculation of numerator
  

50
Alternative Numerator and Population Denominator
Rule Missouri Approach

• Numerator and Population Denominator Rule
• Data are not reported if the population is less
  than a certain size and the number of events in a
  cell is less than a certain size
  
• Assumption 1 There is a limited number of
  persons with the same characteristics in a small
  population where a table cell is small
  
• Assumption 2 It is unlikely one can identify
  the diagnosis of a person if there are at least
  10 other persons that had the same demographic
  characteristics and had the same event (death,
  birth, hospitalization, etc.)

51
Missouri Numerator and Event Denominator Rule

• Numerator and Event Denominator Rule
• A table is not reported if a table cell
  subtracted from the number of total events of the
  same data file for the same characteristics
  yields a small number (less than 10)

52
Summary how does Procedure 7 work?

• Purpose standards for release of individual
  level and aggregate data
  
• 1. Standards for individual level
  releaseblessed by qualified statistician,
  safe harbor, or limited data set, or Procedure 6
  for research
• 2.Standards for aggregate release
• a. for covered components blessed by
  statistician or safe harbor
  
• b. for non-covered components most commonly
  asked questions for data

53
Standards for aggregate release for non-covered
components...

• 1. The Matrix numerator/denominator
  suppression
  
• 2. Numerator based cell suppression typically
  1-4 and any cell that would allow for calculation
  of other cells with values 1-4
  
• 3. Alternative approved approaches that are at
  least as restrictive

54
Conclusions for aggregate data release

• State health departments should be developing
  guidelines/standards for release of aggregate
  data, particularly for general information
  release in non-covered components of health
  departments
• Criteria for release should be explicit and
  consistent across data sets
  
• Rules need to be flexible purpose of data
  collection may necessitate using different rules
  
• MDPH has developed a set of options to meet the
  needs of different programs and requires explicit
  selection by Bureau of its standard
  

55
Contact Information

• Jim Ballin
• Deputy General Counsel, Department of Public
  Health
  
• 250 Washington Street, 2nd Floor, Boston, MA
  02108
  
• 617-624-5220, 617-624-5234 (fax),
  james.ballin_at_state.ma.us
  
• Bruce Cohen
• Co-director, Center for Health Information and
  Statistics, MDPH
  
• 2 Boylston St, 6th floor, Boston, MA 02116
• 617-988-3388, 617-988-3280 (fax)
  bruce.cohen_at_state.ma.us