A HIPAA risk assessment reports the identifiability
your dataset or data stream in terms of the number of people that
could possibly be re-identified if that version were shared.
The Privacert risk assessment quantifies the risks, if
any, and states whether sharing the data poses a minimal risk in accordance
to the HIPAA Privacy Rule provisions.
If you want to have a risk assessment performed, contact a Privacert
representative, info@privacert.com,
who will walk you through the process. The actual computation to generate
the report takes 7-10 days. Here is an overview of the steps.
- We establish confidentiality with your organization by signing non-disclosure
agreements and a HIPAA Business Associates agreement as warranted.
- You provide a description of your dataset, a data sample (optional),
a description of the fields critical to the use for which your dataset
is being shared, and a description of the population of people whose
information is likely to appear in your dataset. We discuss your dataset
with you in order to understand the nature of the values appearing
in your dataset.
- We generate a Risk Assessment report for your dataset and discuss
its contents with you. If the result of the Risk Assessment is your
data complies with the HIPAA Privacy Rule using the Privacert Compliance
Model for HIPAA, a HIPAA certification statement will be awarded.
If your data does not comply, the Risk Assessment report will report
the nature of the risks found and may include suggestions for field-level
changes. Another option may be the Privacy Appliance described further
below.
Risk Assessment and HIPAA Certification
A Privacert Risk Assessment is typically part of an overall effort to achieve
certification that a particular dataset is sufficiently de-identified to
be shared in accordance to HIPAA
(a HIPAA certification). The process begins with
a Privacert Risk Assessment, described above.
If your dataset complies with the HIPAA Privacy Rule in accordance to the
Privacert compliance model for HIPAA, you will be issued a certificate
of HIPAA Privacy Rule compliance. If that version of your dataset does not comply, the Privacert Risk
Assessment may reveal simple, manual process changes that will sufficiently
anonymize the data. However, if no such changes are available or appropriate
for your needs, you can often use the Privacert Appliance remotely, or at your site,
to automatically de-identify and certify your dataset in real-time.
The Privacert Appliance provides on-going certification while simultaneously
allowing more details to remain in the dataset. Below is a schematic overview.
Schematic overview for achieving HIPAA certification
from
a Privacert Risk Assessment, with simple changes (if possible),
or by using a Privacert Appliance.
See also:
The Privacert home page