As regulators and consumers alike apply greater scrutiny to how patient data is being shared across the healthcare ecosystem, privacy impact assessments (PIA) have become an important tool for organizations to identify and address risks to personally identifiable information (PII) and demonstrate transparency in collecting and processing practices.
What is Personally Identifiable Information (PII)?
PII is information that can be used to distinguish or trace an individual’s identity alone or when combined with other information that may be linked to a specific individual. Examples of PII could be identifiable numbers (e.g., social security, passport, driver’s license, vehicle identification, etc.), general personal information (e.g., names, addresses), employment information, biometrics, and/or medical information.
Protected health information, or PHI, is a subset of PII, specifically referring to health information shared with HIPAA covered entities. Medical records, lab reports, and hospital bills are PHI, along with any information relating to an individual’s past, present, or future physical or mental health.
In this blog, we will focus on the broader category of PII.
The Purpose of a PIA
A PIA analyzes how PII is collected, used, shared, and maintained. Organizations and government agencies perform and document PIAs to identify the effect that implementing technology, programs, and practices might have on PII.
The assessment demonstrates that an organization has consciously incorporated privacy protections throughout the lifecycle of a system or program. Mature PIA processes incorporate recommendations for managing, minimizing, or eliminating risks. The PIA also provides decision-makers with the information necessary to make informed decisions based on an understanding of the privacy risks and the options available for mitigating those risks.
The Relationship Between Privacy Impact Assessments and Security Risk Assessments
Organizations routinely perform data security risk assessments that evaluate the security of information technology systems to protect against and respond to cybersecurity events. Organizations should implement adequate security controls to assure the confidentiality of PII, in addition to the other benefits of performing security risk assessments.
While PIAs and security risk assessments may sometimes overlap, each assessment serves distinct purposes and addresses different organizational concerns. PIAs focus on more than security. As described later in this blog, PIAs address procedures for providing the individual with notice, obtaining consent for collecting and processing PII, responding to rights requests, and identifying the purpose for collecting and processing PII. A security risk assessment addresses security and technology infrastructure and the controls implemented to protect the organization’s technology environment. The PIA and the security risk assessment play important roles in identifying risks for organizations in different ways.
The PIA Process
The first step in a PIA is determining whether implementing technology, programs, or practices requires collecting, storing, analyzing, sharing, or destroying PII. Determining whether a project meets this threshold requires a thorough understanding of all aspects of a project. Questions to consider at this stage of the project include:
- What PII is collected? How is the information collected? How will the PII be used? Who will have access to the PII? To whom will the PII be shared? What safeguards are in place to secure PII? How long will the PII be retained? How will the PII be decommissioned and disposed of?
- What categories of PII are to be collected (e.g., general identifying information, health information, employment information, etc.)?
- Does the collecting or processing of PII present risks to the privacy of the person, personal behavior, personal communications, and personal data? How will those risks be mitigated?
- Are there opportunities for individuals to decline to provide information (i.e., where providing information is voluntary) or to consent to the use of the information?
Organizations should develop a formal process to document PIAs and record the following information:
- Types of PII collected and processed
- The purpose of collecting the PII
- The intended uses of the PII
- Whether PII will be shared with third parties and the types of third parties that may receive or have access to the PII
- Opportunities individuals will have to opt out of the collecting or processing of their PII
- A description of security and protections for how PII will be secured
- The life cycle of the PII
Ideally, PIAs should be completed before implementing a project, product, or service and should be ongoing through the lifecycle of the project, technology, programs, or practices. A PIA should be completed early enough in the project so that its findings can influence the overall design or outcome. Failure to undertake a PIA at this point may expose organizations to risks such as privacy breaches, negative publicity, and loss of public trust.
PIA Requirements and Outcomes
Organizations should consider whether they have regulatory requirements to implement PIA processes, such as the General Data Protection Regulation (GDPR) in the European Union, government contract requirements in the United States (U.S.), and different U.S. data privacy laws passed by multiple states in recent years. Although organizations may be mandated by laws or regulations to complete PIAs, the PIA has also become a best practice for identifying, evaluating, and mitigating privacy risks even when there is no legal or regulatory requirement to do so.
The PIA process from the various regulatory requirements and guidelines can be summarized in the following components:
- Project Initiation: This is where the actual scope of the PIA process is determined and defined.
- Data Flow Analysis: This is where a detailed data mapping is analyzed to determine how the PII flows through the organization.
- Privacy Analysis: This is the due diligence process in which questionnaires are used to interview workforce members about the purpose of the technology, program, or practices, the categories of PII that may be impacted, and to identify privacy risks and issues associated with the intended project.
- Privacy Impact Assessment Report: This report formally documents the privacy risks, associated implications of those risks, and possible remedies or mitigation plans. Decision-makers should review and approve the report.
The approved PIA report serves as an effective communications tool that demonstrates a commitment to transparency and shows that the project has been designed with privacy in mind. The PIA report should include the following:
- Recommendations on how to manage or mitigate privacy risks, as well as any privacy risks that cannot be mitigated
- The outcome of privacy impact analysis and compliance checks
- A description of the information flows involved in the project
A PIA can reveal where organizations have weaknesses regarding the PII it collects and processes. Assessment findings can serve as helpful reminders to collect PII only for the specific purposes disclosed to individuals, inform the individual about the purposes for collecting and processing PII, respond to individuals’ requests about their PII, and safely dispose of the PII when it has served that purpose. Demonstrating your commitment to privacy by conducting a PIA may be reputationally, legally, and financially important if a breach of PII occurs.