Data Provenance & Compliance — Summit Audience Segments

1

De-Identification Methodology

Summit applies HIPAA Safe Harbor de-identification (45 CFR §164.514(b)) to all patient data before any use, licensing, or delivery. This method requires the removal of all 18 categories of direct and indirect identifiers specified under the HIPAA Privacy Rule.

Once de-identified in accordance with Safe Harbor standards, data is no longer classified as Protected Health Information (PHI) and is not subject to HIPAA restrictions on use or disclosure. This is the same approach applied across the health data industry by major platforms including IQVIA, Crossix/Veeva, and HealthVerity.

Standard Applied

HIPAA Safe Harbor — 45 CFR §164.514(b)

Identifiers Removed

All 18 categories as defined under the HIPAA Privacy Rule

PHI Classification After De-ID

Not PHI — no HIPAA restrictions apply to use or transfer

Industry Alignment

Standard methodology used by IQVIA, Crossix/Veeva, HealthVerity

The 18 HIPAA Safe Harbor identifiers include: names, geographic subdivisions smaller than a state, dates (except year), phone and fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying numbers or codes. All are stripped prior to data use.

2

Consent & Collection Baseline

All records in Summit's dataset were collected with documented, TCPA-compliant opt-in consent at the point of collection. Summit's longitudinal dataset spans 10 years of behavioral healthcare data (2016–present), covering patient journeys across the full care funnel.

TCPA-Compliant Opt-In: All records obtained through documented opt-in consent flows meeting Telephone Consumer Protection Act requirements.
Longitudinal Depth: 10 years of continuous behavioral healthcare data from 2016 through present day, enabling cohort analysis and long-term condition tracking.
Deterministic Identity Resolution: Patient identity resolved deterministically — not probabilistically — resulting in high-confidence record matching across touchpoints.
Condition-Specific Verticals: Data organized by therapeutic area including Diabetes/CGM, CPAP/BiPAP, GLP-1/Obesity, and sleep therapy indications.
Full-Funnel Signal Coverage: Records span the patient journey — from initial intent signal through qualification and onboarding.

Consent Standard

TCPA-compliant documented opt-in

Data Vintage

2016 – present (10+ years longitudinal)

Identity Resolution

Deterministic (not probabilistic)

Journey Coverage

Intent → Qualification → Onboarding

3

Independent Appraisal

Summit's data collection methodology, consent flows, and data provenance have been independently reviewed and appraised by Data Valuation Partners (DVP), a firm specializing in the assessment and valuation of data assets.

Data Valuation Partners (DVP)

Independent Methodology Review & Appraisal

DVP conducted an independent review of Summit's collection methodology, consent flows, and data provenance. The scope of review covered data sourcing practices, consent documentation, de-identification procedures, and chain-of-custody integrity.

Collection methodology independently reviewed and validated

Consent flows reviewed and validated for compliance

Data provenance and chain of custody validated

DVP appraisal contains no compliance disclaimers or contingencies

The DVP appraisal reflects an unqualified review of Summit's data quality, provenance, and collection practices. The appraisal was issued without compliance disclaimers or contingencies, indicating that DVP found no material issues with the methodology or consent documentation reviewed.

For questions regarding the DVP appraisal or to request supporting documentation for due diligence review, please contact info@summitaudiencesegments.com.