Frequently Asked Questions (FAQs)
1. What is re-identification (re-ID) risk scoring under HIPAA?
Re-ID risk scoring refers to a statistical analysis that evaluates how likely it is for a person to be re-identified by an “attacker” based on unmasked direct, and especially indirect (or quasi-) identifiers in their record, in accordance with the HIPAA Expert Determination Method.
2. How does HIPAA define key identifiers vs. quasi-identifiers?
Key identifiers include directly identifying information like names and Social Security Numbers. Quasi-identifiers are indirect, typically demographic, attributes—like age, postal code, medical condition and gender—that when combined can often be used to identify a particular individual.
3. What is the HIPAA Expert Determination Method?
The HIPAA Expert Determination Method allows data to be considered de-identified if a qualified expert determines that the risk of re-identification is very small, based on accepted statistical principles and methods.
4. How does IRI perform re-ID risk scoring?
The IRI FieldShield data masking tool and the IRI Voracity data management platform which includes FieldShield features a separate
Re-ID Risk Scoring wizard in the IRI Workbench IDE that analyzes and reports on quasi-identifiers in database or flat-file rows and generates statistical risk metrics across multiple attack models.
5. What are equivalence classes in re-ID risk scoring?
Equivalence classes are groups of records that share the same combination of quasi-identifiers. Smaller classes indicate higher risk, as fewer records share the same attributes, making re-identification easier.
6. Can I visualize re-ID risk with IRI tools?
Yes. The Re-ID Risk Scoring wizard in IRI Workbench produces interactive charts that show record distributions, quasi-identifier combinations, and risk levels for each attack model.
7. What are the three attack models used in IRI’s re-ID scoring?
IRI measures re-ID risk based on prosecutor, journalist, and marketer attack models—each simulating a different level of prior knowledge and intent to assess how identifiable data records are.
8. How do I reduce re-identification risk after scoring?
Once you review the risk report, you can generalize (bin / bucket values), blur, or mask one or more quasi-identifiers using FieldShield (or IRI DarkShield). That newly anonymized data can then be re-scored to confirm the reduced likelihood of reidentifiability.
9. Can I reuse the same scoring model after modifying the data?
Yes. The scoring model built in the initial analysis can be reused in FieldShield to re-score updated datasets, making it easy to validate that re-identification risk has been minimized.
10. What is the benefit of using IRI’s re-ID risk scoring for compliance?
It provides objective, statistically supported evidence of HIPAA compliance under the Expert Determination Method and helps guide safe data use for analytics, research, or third-party sharing.
11. Can IRI help if I need an expert statistician?
Yes. IRI can refer you to qualified statisticians who are experienced in evaluating HIPAA re-ID risk assessments and supporting regulatory documentation needs.
12. What file types are supported for re-ID risk scoring?
IRI supports re-ID risk scoring for both structured database tables and delimited flat files that contain sensitive attributes and quasi-identifiers.
