Privacy Preserving Record Linking for Sharing Medical Data

Unified Data Save Lives

Quality data is essential for research databases but HIPAA regulations demand that PII/PHI and other patient identifiers be removed before sharing medical data.

Patients records exist across multiple providers, resulting in quality and research databases with duplicated and/or fragmented records. Data problems hinders the search for new treatments and better outcomes.

The Challenge: How do you link data  without identifiers?

The Identifier Paradox

Unifying data requires identifiers from databases to link records but HIPAA forbids Identifiers that are not privacy preserving even after a data breach.

Identifiers must be unique from each provider and must not be mapped across different databases but simultaneously they must allow researchers to de-duplicate and de-fragment records.

UNS Privacy Preserving Linking Records for Quality and Research Databases

UNS Creates Unique, Anonymous Identifiers

Only Identifiers flow through the secure UNS network.

  • PII/PHI is NEVER sent to UNS
  • Medical Data is NEVER sent to UNS
  • Blinded Identifiers are NEVER saved by UNS

How Does UNS PPRL Work?

1. Health Care Provider adds Blind ID tokens to patient records

Health Care providers send a hash derived from PII to their UNS Security Node and receive an encrypted Record Linking Token (Blind ID) to patient records

UNS PPRL can be deployed through real-time API or batch processing. The Security Node can be instantiated on demand in a cloud environment or as an on-premises system. Nodes do not store either hashes or the encrypted identifiers and PII never leaves the span of control of the provider.

2. Health Care Providers shares de-identified data

Health Care provider shares de-identified medical data with target databases following their existing agreements.

This transfer happens outside of UNS and does not include the Blind ID Token

3. Blind ID tokens are created for each database

The 1st Blind ID is created using a key that belongs to the data provider.

The 2nd Blind ID is created using a key that belongs to the data recipient.

If the provider and the recipient are both controlled by the same entity, they will have two different keys.

4. The 2nd Blind IDs are merged by the database

This process can be repeated for each Health Care Provider sharing data with quality and research databases.

This process must be repeated for each database receiving data from a Health Care Provider because the 2nd blinded identity token is encrypted with the key of the recipient.

Multiple Research Databases can be Linked

PPRL can be repeated across multiple research databases using an honest broker or other authorizing parties.

Unifying patient data allows better research and better treatments