·  6 min read

House Rx Enables “Minimum Necessary” Data Access Policy with Privacy Dynamics

House Rx can now feel confident that their engineers and analysts have fast and responsible access to the information they need, without having access to information they don’t.

Key Results

  • A complete data minimization solution, ready on Day 1
  • More granular data that allows for deeper insights to drive the best care for patients
  • More informed healthcare BI (business intelligence) decisions based on actual data

BACKGROUND: A technology & service provider to specialty clinics

House Rx partners with specialty clinics across the country to make specialty medications more accessible and affordable. It offers technology and services that help these clinics offer medically-integrated dispensing, bringing together clinical and pharmacy expertise to better serve patients.

House Rx has developed an integrated platform for operating clinic dispensaries, which assure coordination between the clinical team and House Rx's operations team. This platform is connected to the patient's electronic health record, so that a pharmacist can easily review drug use and therapy appropriateness, ensure the drug is safe for the patient, monitor the patient for detrimental side effects, and stay coordinated with the rest of the clinical team.

THE CHALLENGE: Ensuring the team has the information they need to do their jobs, and no more!

Healthcare data in the US are subject to heightened privacy requirements compared to other consumer data. At the same time, electronic health records are often messy, duplicative and contain more information than necessary for a particular use. This presents challenges for companies who need to demonstrate they are using the minimum required data for any given task, which are often business-critical products and services.

Compliance and regulatory tasks can pose a seemingly insurmountable obstacle to responsibly and effectively using health data inside a single organization, let alone between multiple business entities. For instance, the Health Insurance Portability & Accountability Act (HIPAA) requires that a covered entity or business associate use the "minimum necessary" amount of PHI and only for specific authorized purposes (e.g., treatment, payment, operations). While HIPAA permits covered entities (e.g., health care providers) and their business associates (e.g., service providers) to "de-identify" data, its Safe Harbor method understandably takes a very conservative approach, which require the removal of valuable information (e.g., only reporting dates at the year level). HIPAA's expert determination method of de-identification can offer more flexibility, but requires the company obtain an opinion from a statistical expert, which is currently time-consuming and expensive. When it comes to business-critical data, as in House Rx's case, it's important that only unnecessary data is removed. Should too much get removed, the data becomes less accurate and useful. This relationship is often referred to as the Privacy-Utility Trade-Off. In summary, as one removes identifiers from a dataset, the less useful the data is for understanding individual-level differences and for performing accurate analyses.

As House Rx built its platform, it was keenly aware of its duties as a responsible data steward. They needed to provide engineers, analysts, and other data users access to only the minimum amount of information necessary to do their jobs. This would give the House Rx team confidence that they were working with production-quality minimized data to perform quality assurance checks on code and to generate detailed insights that would help customers understand the health of their dispensary operations.

"Our goal was to build an organization that had very deep data transparency consistent with the privacy rights of our patients and HIPAA requirements around minimal access," says Alda Pontes, House Rx's Head of Technology.

House Rx initially intended to build its own data minimization solution. But, it quickly became apparent that doing so would involve a lot of money, time, and expertise.

THE SOLUTION: State-of-the-art data minimization that preserves data utility

Allison Canton, House Rx's General Counsel and Compliance Officer, was familiar with Privacy Dynamics. When she heard about the difficulties House Rx was having, she thought Privacy Dynamics could help. She also knew that many of her legal & privacy colleagues in the health care space privately worried that they were either giving their team access to too much information (increasing the risks of breach) or too little (leading to inefficiencies and hampering innovation).

House Rx immediately saw that Privacy Dynamics has the data minimization tool and self-hosted enterprise application that matched its needs: it provides k-anonymity, lets House Rx define which variables to neutralize, and enables high-fidelity code QA without exposing engineers to excess personal data while enabling the organization to perform more precise analytics.

Privacy Dynamics balances the line between privacy and utility by putting individuals into groups that blur them into a small crowd. It anonymizes direct identifiers, such as name, birthday, SSN and location, but it also goes miles beyond what House Rx initially expected by treating quasi-identifiable information, too.

Quasi-identifiers are pieces of data that are not unique identifiers but can be combined to create personally identifying information (e.g., dates of service). House Rx could also enable "Safe Harbor" level de-identification by simply updating their settings in the application, or use the tool in conjunction with a service provider to obtain an expert determination.

A big factor in House Rx choosing Privacy Dynamics was its on-premises deployment, which was critical for satisfying internal data security standards. House Rx deployed Privacy Dynamics inside its private network with its own secure keys. This way, Privacy Dynamics doesn't have access to House Rx's data. Further, in order to take advantage of Privacy Dynamics' design partner program, House Rx signed a subcontractor Business Associate Agreement to cover any incidental PHI disclosure occurring during implementation or support.

"It didn't make sense to try to build a data minimization solution ourselves when we could partner with Privacy Dynamics for the full solution on Day 1," Pontes says.

And it has been a great partnership; House Rx went live with Privacy Dynamics in January 2022. The Privacy Dynamics and House Rx teams worked closely to fine-tune the solution during deployment. "It took some back and forth. But the Privacy Dynamics team is so collaborative and excited, and had short turnaround times for updates. So it has been a great experience," Pontes says.

Meanwhile, as House Rx explained what it needed and Privacy Dynamics adapted the platform, Privacy Dynamics also developed a greater understanding of the type of customizations that would enable its solution to better serve the healthcare sector. The biggest being the need to iterate on data transformation in order to determine a threshold for minimum necessary on a project-by-project basis.

If House Rx had built the data minimization solution in-house, Pontes estimates it would initially have been able to do 40% or less of what the Privacy Dynamics tool could do right away.

THE RESULTS: Embedding responsible data use into their tech

House Rx can now feel confident that their engineers and analysts have fast and responsible access to the information they need, without having access to information they don't.

The most significant benefit of using Privacy Dynamics, Pontes says, is transparency for more informed decisions based on real data rather than curating datasets using guesswork and unfounded assumptions. "We want to make sure we're doing right by patients. So making sure that we have the right metrics to track the effect of our services on patient care is important.

"It's essential to use the information that's around us before making a decision."

THE FUTURE: Build an organization with deep data literacy

House Rx will continue adding to the deployment and deeply integrating Privacy Dynamics into its technology stack. They want to create an organization with deep data literacy and responsible data use practices.

"Privacy Dynamics tooling helps us make sure that we have the information that we need while doing right by the patient," says Pontes.

About House Rx: House Rx is a technology-enabled service company focused on making specialty medication more accessible and affordable. We do so by helping clinics dispense specialty medications to their patients in a medically-integrated way using pharmacist expertise and modern technology. By helping physicians and pharmacists collaborate on patient care, we 're able to improve patient outcomes, lower the cost of care, and create a better experience for patients and their caregivers.