When patient data is used for secondary purposes, such as research, it must be de-identified. But is this process consistently reliable in protecting patient privacy?
A privacy attorney and an experienced researcher explain in an interview with Information Security Media Group that de-identification is reliable if specific methods, as spelled out under HIPAA, are actually used. Too often, they say, those de-identifying data don't do the job effectively because they fail to follow best practices and standards.
Only two methods of de-identification can be used to satisfy the HIPAA Privacy Rule's de-identification standard, explains privacy and security attorney Scot Ganow of the law firm Faruki Ireland & Cox P.L.L.
The "safe harbor" method calls for removing 18 identifiers from patient information, including patient names, ZIP codes, Social Security numbers and birthdates.
The second method, "expert determination," is a more flexible standard that allows professionals to calibrate data de-identification based on the context for which data will be released for secondary purposes, explains Khaled El Emam, senior scientist at the Children's Hospital of Eastern Ontario Research Institute and Director of the multidisciplinary Electronic Health Information Laboratory.
The expert determination method involves using an expert "with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable," according to federal guidance material on the subject (see De-Identification Guidance Offered).
De-identified data is considered HIPAA-compliant "and defensible" if either of these two-approved methods are used in de-identifying patient data, Ganow says.
Some privacy advocates complain that even HIPAA-compliant methods of data de-identification fall short, creating a risk that patients can be re-identified, especially if mistakes are made in the processes (see Sizing Up De-Identification Guidance).
But El Emam contends that privacy protection problems mainly arise when HIPAA guidance is not followed or is applied improperly. "Another mistake is applying only part of the standards. In that case, data is not going to be protected," he says.
"If you do a poor job with de-identification not based on standards, then it's easy for someone to reverse that. But if you do a good job, it's really hard to re-identify the data," El Emam contends.
One of the top reasons why data de-identification is sometimes done improperly is that there's a shortage of skilled individuals who know how to de-identify data according to best practices and standards, El Emam says. "There's a need to increase the pool of individuals who can do this work, he says.
But no method of de-identification is guaranteed to be 100 percent perfect. "When applying data de-identification methods in accordance to HIPAA, the standard is to have a very low risk of re-identification as opposed to saying something is completely de-identified," Ganow says. De-identification "doesn't happen in a silo. You have to think about: Who am I giving the data to? What's the purpose? What agreements and security do I have in place? It's not a silver bullet."
In the interview, Ganow and El Emam discuss:
- Why de-identification is important to managing risk and ensuring patient privacy;
- How the identities of patients with unusual and rare diseases, such as Ebola, can be protected;
- How a shortage of skilled individuals is contributing to poorly de-identified data and why training programs and professional certifications can help.
Ganow is an attorney in the Dayton office of Faruki Ireland & Cox P.L.L. He had more than 10 years of corporate and compliance experience in Fortune 500 companies prior to becoming an attorney, including serving as a chief privacy officer for healthcare and pharmaceutical informatics companies. Ganow also holds the Certified Information Privacy Professional certification; has presented and written extensively on the topics of data protection and de-identification.,
In addition to his work at the Children's Hospital of Eastern Ontario Research Institute, El Emam is founder and CEO of Privacy Analytics Inc., which offers enterprise software to safeguard data used for secondary purposes. Previously, Khaled formerly was a senior research officer at the National Research Council of Canada. He holds the Canada research chair in electronic health information at the University of Ottawa and is an associate professor on the faculty of medicine at the university. He has a PhD from the department of electrical and electronics engineering, King's College, at the University of London, England.