De-Identified Data: The Security Risks

Researchers Conducting HITECH-Mandated Study
De-Identified Data: The Security Risks
Researchers soon will offer recommendations on best practices for de-identifying data for research studies to protect patient privacy, a security issue highlighted in the HITECH Act.

A team from the University of Chicago is working on the project with the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology. Once the research is complete, the recommended best practices will be passed on to the HHS Office for Civil Rights, says Deborah Lafky, project officer for security/cybersecurity at ONC.

The Office for Civil Rights ultimately will determine whether existing HIPAA regulations on the issue need to be modified. The HITECH Act called for a report on that issue to be completed by last February.

Under a safe harbor provision in the HIPAA privacy rule, 18 common identifiers must be stripped out of data for it to qualify as de-identified so it can be shared for research purposes.

Results of Research

In her presentation Tuesday at the HIPAA Summit West conference in San Francisco, Lafkey described a study that suggests that tying de-identified data back to individuals is difficult. The study comes after others have contended the HIPAA de-identification standard offers inadequate protection.

The University of Chicago researchers, using a database of 15,000 names from a medical center that was de-identified using the HIPAA safe harbor standard, tried to identify individuals by manually comparing the de-identified data with a publicly available database of information on individuals in the same geographic region with the same ethnic heritage. They could only come up with two correct identifications of individuals in the de-identified database, Lafkey said.

Lafkey suggested that the HIPAA safe harbor de-identification method is robust and "trying to defeat it is labor-intensive and costly."

In phase two of their study, however, researchers will attempt to pinpoint ways to further reduce the ability to re-identify data, she added.

Congressional Attention

At a recent congressional hearing, David Wu, D-Ore, chairman of the House Subcommittee on Technology and Innovation, questioned whether de-identified information shared with researchers can be re-identified, posing a privacy risk.

In response, Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, urged tightening of the HIPAA de-identification standard and called for strong sanctions for violating privacy in this way.

"A number of researchers have documented how easy it is to re-identify some data that qualifies as de-identified under HIPAA," McGraw said in her written testimony.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.