Privacert provides real-world
certifications that determine whether data are sufficiently
de-identified in accordance to specific legal and regulatory requirements.
For example, Privacert Risk Assessments and the Privacert HIPAA Standard
can assess whether a version of data is sufficiently de-identified under the
Health Insurance Portability and Accountability Act (HIPAA),
scientifically and legally, so that it can be shared freely and still remain useful.
The HIPAA Privacy Rule provides two mechanisms for sharing patient data
freely: (1) the safe harbor provision that lists which fields cannot be released;
and, (2) the scientific standard that states that there must be minimal risk of re-identification.
The safe harbor provision often yields useless data, and there is no definition of "minimal risk"
provided for the scientific standard. Dr. Sweeney's technical and legal insight
was to conserve the number of re-identifications allowed in the safe harbor provision
while allowing more specificity in fields allowed in the scientific provision.
Dr. Latanya Sweeney
Data Privacy Lab
contributed an operational standard
for determining HIPAA compliance that satisfies scientific and legal muster
by asserting that a dataset is HIPAA compliant if no more people are identifiable
in the subject data release than would be identifiable if the data release satisfied
the HIPAA safe harbor provisions
This approach leverages
Dr. Sweeney's previously developed technology
for determining the identifiability of data, the
Privacert Risk Assessment Server.
In 2002, four organizations received licenses to the Privacert Risk Assessment Server
in order to use the Privacert Risk Assessment Server to determine whether data were
sufficiently de-identifed under HIPAA. During that time, the approach has been highly succesfully
as the basis for determining re-identification risk in many high profile data sharing
arrangments. Customers included large corporations, start-up ventures, and government agencies.
Our current mission is to share our approach and success widely by opening up access
to our methods, tools, and results. We believe doing so will
help inform policy-makers of actual real-world risks and existing real-world remedies.
If successful, we believe American soceity will enjoy data sharing with guarantees of privacy protection
while the data remain useful.