Privacy matters: When is personal data truly de-identified?

Computerworld -

The U.S. Department of Health and Human Services (HHS) is about to rule whether health care entities will need to notify patients if their de-identified data -- patient data that has been stripped of all potential for identifying individuals, which is often used for research and development -- is breached. As it stands now, de-identified data is not subject to the new breach-notification rules imposed by the HITECH privacy provisions of the 2009 American Recovery and Reinvestment Act (ARRA) stimulus package. The debate pits privacy activists on the one side -- who often support notification -- with health care organizations on the other, which say the quality of health care hangs in the balance.

This debate hasn't been getting much attention. That's unfortunate, because the outcome could have broader implications within the U.S. and even around the world. Validating that personal data can be de-identified in a way that still retains commercial and social usefulness could set a precedent for many other privacy-related standards and debates.

The ruling will come amid a flood of medical data-breach notifications in California, the first state to impose this requirement. Since January of this year, 823 medical-data breaches were reported to the state government, of which the state investigated 122 and confirmed 116 as breaches. One of them -- inappropriate staff access into the files of the so-called Octomom -- resulted in the statute's maximum fine of $250,000. So, the stakes are high on how the question of de-identified data is resolved.

Let me confess my bias. I think the people who came up with the Health Insurance Portability and Accountability Act (HIPAA) de-identification rule should be given a Presidential Medal of Freedom. I'm exaggerating only a little. The rule is one of the most practical innovations in privacy regulations worldwide and arguably has saved lives.

How does de-identification work? According to part 164.514 of the Code of Federal Regulations, a HIPAA-covered entity has two choices if it wants to de-identify patient data and use it for any purpose such as research and development:

1. The "safe harbor" option, where the entity can remove from its data all of the 18 personal identifiers listed by HIPAA (see Table 1); or
2. The "statistical" option, where the entity can hire a statistician to determine which of the 18 identifiers it can retain without creating more than a "very small" risk that the data could be re-identified when publicly released.

HIPAA also provides a third "limited data set" method. Under these criteria, the covered entity can remove 16 of those 18 identifiers, but guard the remaining data with additional security precautions. It can use the dataset for research and development, but the remaining data is still regarded as protected health information (PHI) subject to HIPAA.