Privacy Preserving Record Linking for Sharing Medical Data
Unified Data Save Lives
Quality data is essential for research databases but HIPAA regulations demand that PII/PHI and other patient identifiers be removed before sharing medical data.
Patients records exist across multiple providers, resulting in quality and research databases with duplicated and/or fragmented records. Data problems hinders the search for new treatments and better outcomes.
The Challenge: How do you link data without identifiers?
The Identifier Paradox
Unifying data requires identifiers from databases to link records but HIPAA forbids Identifiers that are not privacy preserving even after a data breach.
Identifiers must be unique from each provider and must not be mapped across different databases but simultaneously they must allow researchers to de-duplicate and de-fragment records.
UNS Privacy Preserving Linking Records for Quality and Research Databases
UNS Creates Blinded Identifiers
Unique for every patient in each database.
- PII/PHI is NEVER sent to UNS
- Medical Data is NEVER sent to UNS
- Blinded Identifiers are NEVER saved by UNS
Only Identifiers flow through UNS
How Does UNS PPRL Work?
1. Health Care Provider adds Blind ID tokens to patient records
Health Care providers send a hash derived from PII to their UNS Security Node and receive an encrypted Record Linking Token (Blind ID) to patient records
UNS PPRL can be deployed through real-time API or batch processing. The Security Node can be instantiated on demand in a cloud environment or as an on-premises system. Nodes do not store either hashes or the encrypted identifiers and PII never leaves the span of control of the provider.
2. Health Care Providers shares de-identified data
Health Care provider shares de-identified medical data with target databases following their existing agreements.
This transfer happens outside of UNS and does not include the Blind ID Token
3. Blind ID tokens are created for each database
The 1st Blind ID is created using a key that belongs to the data provider.
The 2nd Blind ID is created using a key that belongs to the data recipient.
If the provider and the recipient are both controlled by the same entity, they will have two different keys.
4. The 2nd Blind IDs are merged by the database
This process must be repeated for each database receiving data from a Health Care Provider because the 2nd blinded identity token is encrypted with the key of the recipient.