Frequently Asked Questions (FAQs)
1. What is re-identification (re-ID) risk scoring under HIPAA?
Re-ID risk scoring is a statistical analysis that evaluates how likely it is for someone to be re-identified based on quasi-identifiers in a dataset, in accordance with the HIPAA Expert Determination Method.
2. How does HIPAA define key identifiers vs. quasi-identifiers?
Key identifiers include directly identifying information like names and Social Security Numbers. Quasi-identifiers are indirect attributes—like age, zip code, or gender—that can be combined to identify individuals.
3. What is the HIPAA Expert Determination Method?
The HIPAA Expert Determination Method allows data to be considered de-identified if a qualified expert determines that the risk of re-identification is very small, based on accepted statistical principles and methods.
4. How does IRI perform re-ID risk scoring?
IRI FieldShield and the Voracity platform include a Risk Scoring wizard that analyzes quasi-identifiers in database or flat-file rows and generates statistical risk metrics and visual reports across multiple attack models.
5. What are equivalence classes in re-ID risk scoring?
Equivalence classes are groups of records that share the same combination of quasi-identifiers. Smaller classes indicate higher risk, as fewer records share the same attributes, making re-identification easier.
6. Can I visualize re-ID risk with IRI tools?
Yes. The Risk Scoring wizard in IRI Workbench produces interactive charts that show record distributions, quasi-identifier combinations, and risk levels for each attack model.
7. What are the three attack models used in IRI’s re-ID scoring?
IRI measures re-ID risk based on prosecutor, journalist, and marketer attack models—each simulating a different level of prior knowledge and intent to assess how identifiable data records are.
8. How do I reduce re-identification risk after scoring?
Once you review the risk report, you can generalize, blur, or mask one or more quasi-identifiers using FieldShield. The data can then be re-scored to confirm reduced re-ID probability.
9. Can I reuse the same scoring model after modifying the data?
Yes. The scoring model built in the initial analysis can be reused in FieldShield to re-score updated datasets, making it easy to validate that re-identification risk has been minimized.
10. What is the benefit of using IRI’s re-ID risk scoring for compliance?
It provides objective, statistically supported evidence of HIPAA compliance under the Expert Determination Method and helps guide safe data use for analytics, research, or third-party sharing.
11. Can IRI help if I need an expert statistician?
Yes. IRI can refer you to qualified statisticians who are experienced in evaluating HIPAA re-ID risk assessments and supporting regulatory documentation needs.
12. What file types are supported for re-ID risk scoring?
IRI supports re-ID risk scoring for both structured database tables and delimited flat files that contain sensitive attributes and quasi-identifiers.