A risk assessment reports the identifiability
your dataset or data stream in terms of the number of people that
could possibly be re-identified if that version were shared.
The Privacert risk assessment quantifies the risks, if
any, and states whether sharing the data poses a minimal risk in accordance
witha regulations (e.g., the HIPAA Privacy Rule).
If you want to have a risk assessment performed, contact a Privacert
who will walk you through the process. The actual computation to generate
the report takes 7-10 days. Here is an overview of the steps.
- We establish confidentiality with your organization by signing non-disclosure
agreements and a HIPAA Business Associates agreement as warranted.
- You provide a description of your dataset, a data sample (optional),
a description of the fields critical to the use for which your dataset
is being shared, and a description of the population of people whose
information is likely to appear in your dataset. We discuss your dataset
with you in order to understand the nature of the values appearing
in your dataset.
- We generate a Risk Assessment report for your dataset and discuss
its contents with you. If the result of the Risk Assessment is your
data complies with the HIPAA Privacy Rule using the Privacert Compliance
Model for HIPAA, a HIPAA certification statement will be awarded.
If your data does not comply, the Risk Assessment report will report
the nature of the risks found and may include suggestions for field-level
Below is a sample analysis.
Re-identification threat identified during
a Privacert Risk Assessment.
Risk Assessment and HIPAA Certification
A Privacert Risk Assessment is typically part of an overall effort to achieve
certification that a particular dataset is sufficiently de-identified to
be shared in accordance to HIPAA
(a HIPAA certification). The process begins with
a Privacert Risk Assessment, described above.
[For more technical information about our approach, see