Real-World Data HIPAA Conformance for De-Identification

Oracle uses multiple methods to ensure that data provided for research purposes is deidentified in accordance with HIPAA standards using several methods.

Oracle uses expert determination and safe harbor standards to deidentify Real-World Data as outlined by 45 CFR 164.514.

• Expert Determination: A qualified expert uses scientific and statistical methods to minimize identification risk and documents their analysis and findings.
• Safe Harbor: Specific direct identifiers such as names, contacts, and exact dates are fully removed or generalized with additional safeguards to prevent identification.

In addition, Oracle:

• Shifts dates by a consistent number of seven-day increments randomly (forward or backward).
• Reduces partial dates to year only.
• Categorizes individuals over 89 years of age as 90+.
• Uses system-assigned numbers instead of extracting direct identifiers like names, contacts, social security numbers, and so on.
• Does not extract location information more specific than the state.

Other sensitive identifiers are not present in the dataset. Data is deidentified before Oracle receives the data. It is encrypted at the provider site, transferred using secure shell (SSH), then stored in a controlled Oracle data center.

See Understand Real-World Data HIPAA Conformance for Deidentification on Oracle Health Wiki for more information.