As hospitals and healthcare organizations adopt new ways to store and share data, privacy and security of the information is a top priority--and with that comes de-identification of data.
When it comes to HIPAA, there are two standards that allow for the sharing of data while maintaining privacy protections, according to privacy attorney Scot Ganow and Khaled El Emam, senior scientist at the Children's Hospital of Eastern Ontario Research Institute, both of whom spoke with HealthcareInfoSecurity.com.
The first HIPAA method for de-identifying data, according to Ganow, of Faruki Ireland & Cox, is to strip out the data and identifiable elements, though, he added that doing so doesn't offer a lot of value. The second, he said, is to de-identify data through the expert determination standard, which allows researchers to "retain a lot of the value of the info ... [while] at the same time carrying a very low risk of re-identification."
Emam, who also serves as the director of the multidisciplinary Electronic Health Information Laboratory at the Children's Hospital institute, also emphasized using the expert determination method, saying it allows for more flexibility.
He told HealthcareInfoSecurity.com that not every organization uses the standards, and in those cases, the data won't be protected.
In addition to HIPAA, the Federal Trade Commission also has de-identification standards, including that an organization takes reasonable steps to de-identify protected data and announces that re-identification of data will not occur.
However, some are not sure that de-identification goes far enough in protecting patients.
Some studies have shown the possible ease with which de-identified data can be linked with a patient, including one by Harvard University researchers who were able to identify and link anonymous participants in a public DNA study with their personal data.
And while HIPAA specifies how data should be de-identified, a report by the Bipartisan Policy Center maintains that too much variability exists in the execution of anonymization.
Emam, though, said that if the process is done right, it is very difficult to re-identify data. He stressed that problems occur when organizations do a "lousy job" with de-identification, and that makes it easy for someone to reverse.
To learn more:
- listen to the HealthcareInfoSecurity.com interview