Masking Data: Personal Health Information
Healthcare Industry
IBM Optim, HIPAA Compliance, Data Privacy

Our client is one of the most active health insurance companies in the US. The company operates in three segments. Its Health Care division offers HMOs, PPOs, point-of-service (POS) plans, health savings accounts, and traditional indemnity coverage, along with dental, vision, behavioural health, and Medicare plans. Our client covers more than 15 million individuals under its health plans, some 13 million dental plan members, and 10 million pharmacy members. Its Group Insurance segment sells life, disability, and long-term care insurance, covering about 15 million people. The Large Case Pensions segment offers pensions, annuities, and other retirement savings products.

The Technical Challenge

Our client faced significant challenges after the Health Insurance Portability and Accountability Act (HIPAA) was put into effect. Under the direction of its internal legal and compliance groups, our client put a plan in place to obfuscate credit card information (CCI), personal health information (PHI), and personally identifiable information (PII) data across all systems enterprise-wide. To become HIPAA compliant, our client needed a toolset and a partner that understood not only PeopleSoft but also masking data for credit card information (CCI), personal health information (PHI), and personally identifiable information (PII).

Having lead multiple projects for companies in the health insurance industry, BTRG was able to tackle the client’s data masking needs head-on while remaining HIPAA complaint. One major task concerning HIPAA compliance was incorporating the HIPAA Privacy Ruleenterprise-wide.  The HIPAA Privacy Rule protects all individually identifiable health information including name, address, birth date and social security number, that is held or shared by a covered entity or its affiliate, in any form whether electronic, paper or oral. The Privacy Rule calls this information, protected health information (PHI).

Working for IBM Lab Services, BTRG configured data masking for both the internal HRMS system and the instance of PeopleSoft used to support HIPAA client disability claims requests. The client claims instance presented a distinct challenge primarily with personal identifiable information where EMPLID was shuffled by pay group.  In addition, there was a complex relationship between SSN, Case ID, and EMPLID where a person could have worked at several companies and consequently may have different EMLIDs and cases.

Optim™ proved capable of tying, the required data elements together, to resolve this issue. A big win for our client was presented by the fact that PeopleSoft served as the upstream source for data in 30 downstream applications, such that when PeopleSoft was masked, this masked the downstream applications as well, providing a strong ROI.

Our client manages disability insurance on behalf of millions of clients, and as a public company is subject to constant audit scrutiny due to HIPAA Privacy regulations regarding how personal health information is protected. Finding PHI in among the 45,000 plus tables and ensuring the appropriate relationships stemming from application business logic both in the core applications as well as custom additions proved to be a significant part of this project.

Finding target data elements was achieved leveraging scripts, brought to the engagement by BTRG. Various patient health and personally identifiable data elements not specifically supported by Optim™ needed to be developed leveraging the base masking algorithms and fictional data supplied by the client.

The project took about 30 weeks and was completed within budget. Work was performed both on and offsite and the team included a Project Manager, customer SMEs, DBAs, and Business Analysts. BTRG mentored client throughout the project leaving them with the skills and tools needed to maintain and use the new system.

For more information contact:

Jason Wyjad
Business Development Manager
Data Management Solutions
647-299-2381 or jwyjad@btrgroup.com