Data Classification

John Moehrke has a comprehensive post on Data Classification. As privacy and security considerations are codified within electronic medical records, standards are essential. There are three areas that I see these standards playing a transformative role, but I'm sure there are others:

1. HIE Consent Management: There are seven services needed for the creation of HIEs. Many are still under development but the least developed area amongst these is most likely patient consent. See Private Access--one of the potential technology providers in this space.
2. Release of Information: Much of the business of release-of-information, estimated to be a $1B market [1], depends upon the proper redaction of sensitive information from medical records. Codifying privacy preferences will eventually allow automated release-of-information processing. Mature data classification techniques may enable a disruptive technology to upend this market, which is currently dominated by HealthPort with a $250M annual revenue stream.
3. Data De-Identification: De-identification is currently a somewhat manual process if you want data that retains some degree of usefulness. HIPAA requires a person with knowledge of general statistical principals to certify that reverse engineering of identity is not easily possible or it requires the removal of 18 fields that remove personally identifiable information. Data classification takes us one step closer to automated de-identification.

While on this subject, see Keith Boone's contention that redacted documents should not be considered the same as the original document and hence should not retain signatures that were used to sign the original.

[1] market sizing from HealthPort, Inc. S-1 filing with the SEC, 2009