Although there's little evidence that de-identified patient data is being re-identified, concerns about this possibility are increasing, noted Deven McGraw, director of the Privacy Project at the Center for Democracy and Technology (CDT), in a new article published this week in the Journal of the American Medical Informatics Association (JAMIA).
Based on a workshop recently convened by the Privacy Project, McGraw described the issues raised by de-identification of patient data and conveyed a few suggestions about how to resolve them.
The concerns expressed by academics and consumer advocates fall into three categories, she noted: "(1) sufficiency of de-identification methodologies; (2) lack of accountability for unauthorized or inappropriate re-identification; and (3) disapproval of certain uses of de-identified data."
The Health Insurance Portability and Accountability Act privacy rule approves two methods of de-identification: statistical and safe harbor. In the first method, a statistician attests there is very low risk of the data being re-identified; in the second, providers must remove 18 specific patient identifiers from the data. While both have been debated, the risk of re-identification is considered very low with either method.
Nevertheless, some workshop participants recommended that the re-identification of data be made illegal. Such a statute, they said, would have to apply to recipients of de-identified data that are not HIPAA-covered entities. Another way to prevent re-identification, they said, would be to require HIPAA-covered entities to prohibit it in their agreements with business associates.
The participants also discussed ways in which the U.S. Department of Health & Human Services could ensure the continued effectiveness of de-identification methods through periodic reviews. And they recommended greater transparency about the uses of de-identified data to reassure people whose data was included.
A recent issue brief prepared by CDT and Consumers Union complained that health information exchanges were not doing enough to protect the privacy and security of patient data. Among other things, the brief argued that there should be penalties for re-identification of de-identified data.
The Government Accountability Office recently said that HHS' Office for Civil Rights was not adequately protecting the privacy and security of electronic prescribing data when it was used for secondary purposes, such as research, healthcare operations, public health, and drug marketing.
To learn more:
- see the JAMIA article