De-Identified Data: The Security Risks
Researchers Conducting HITECH-Mandated StudyA team from the University of Chicago is working on the project with the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology. Once the research is complete, the recommended best practices will be passed on to the HHS Office for Civil Rights, says Deborah Lafky, project officer for security/cybersecurity at ONC.
The Office for Civil Rights ultimately will determine whether existing HIPAA regulations on the issue need to be modified. The HITECH Act called for a report on that issue to be completed by last February.
Under a safe harbor provision in the HIPAA privacy rule, 18 common identifiers must be stripped out of data for it to qualify as de-identified so it can be shared for research purposes.
Results of Research
In her presentation Tuesday at the HIPAA Summit West conference in San Francisco, Lafkey described a study that suggests that tying de-identified data back to individuals is difficult. The study comes after others have contended the HIPAA de-identification standard offers inadequate protection.The University of Chicago researchers, using a database of 15,000 names from a medical center that was de-identified using the HIPAA safe harbor standard, tried to identify individuals by manually comparing the de-identified data with a publicly available database of information on individuals in the same geographic region with the same ethnic heritage. They could only come up with two correct identifications of individuals in the de-identified database, Lafkey said.
Lafkey suggested that the HIPAA safe harbor de-identification method is robust and "trying to defeat it is labor-intensive and costly."
In phase two of their study, however, researchers will attempt to pinpoint ways to further reduce the ability to re-identify data, she added.
Congressional Attention
At a recent congressional hearing, David Wu, D-Ore, chairman of the House Subcommittee on Technology and Innovation, questioned whether de-identified information shared with researchers can be re-identified, posing a privacy risk.In response, Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, urged tightening of the HIPAA de-identification standard and called for strong sanctions for violating privacy in this way.
"A number of researchers have documented how easy it is to re-identify some data that qualifies as de-identified under HIPAA," McGraw said in her written testimony.