More than two dozen frequently asked questions explain the two methods--Expert Determination and Safe Harbor--that satisfy the privacy rule’s standards for de-identification. “This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification,” according to OCR.
The Expert Determination method is defined as:
“(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination.”
The Safe Harbor method involves the removal of dozens of identifiers of the individual, relatives, other household members of the individual and employers. For instance, the removal of just one identifier--dates-- includes: “All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.”
The American Recovery and Reinvestment Act of 2009 mandated creation of the guidance, available here.
PROBLEMS: - There are no penalties for not following the 'guidance'. - The 'guidance' allows easy 're-identification' of health data. Publically available data bases of other personal information can be quickly compared electronically with 'de-identified' health data bases, so can be names re-attached, creating valuable, identifiable health data sets.
- The HIPAA "Safe-Harbor" method allows re-identification: even if 18 specific identifiers are removed.04% of the data can still be 're-identified'.
- Certification by a statistical "expert" that the re-identification risk is "small" allows release of data bases without patient consent.
- There are no requirements to be an "expert"
- There is no definition of "small risk"
- The OCR guidance ignores computer science, which has demonstrated 'de-identification' methods can't prevent re-identification. No single method or approach can work because more and more 'personally identifiable information' is becoming publically available, making it easier and easier to re-identify health data. See: the "Myths and Fallacies of "Personally Identifiable Information" by Narayanan and Shmatikov, June 2010 at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf Key quotes from the article: - "Powerful re-identification algorithms demonstrate not just a flaw in a specific anonymization technique(s), but the fundamental inadequacy of the entire privacy protection paradigm based on "de-identifying" the data." - "Any information that distinguishes one person from another can be used for re-identifying data." - "Privacy protection has to be built and reasoned about on a case-by-case basis."
SOLUTIONS: OCR should have recommended case-by-case 'adversarial testing' by comparing a "de-identified" health data base to multiple publically available data bases to determine which data fields must be removed to prevent re-identification.
See PPR's paper on "adversarial testing" at: http://patientprivacyrights.org/wp-content/uploads/2010/10/ABlumberg-anonymization-memo.pdf
Simplest, cheapest, and best of all would be to use the stimulus billions to build electronic systems so patients can electronically consent to data use for research and other uses they approve of. Complex, expensive contracts and difficult 'work-arounds' (like 'adversarial testing') are needed to protect patient privacy because institutions, not patients, control who can use health data. This is not what the public expects and prevents us from exercising our individual rights to decide who can see and use personal health information.