De-identification of Data

Social networking sites, efficient search tools (bing, dogpile, google, yahoo), blogs, cookies, mailing lists, message boards, active x controls/ embedded java script on websites and other databases make it easy to identify that new business prospect or easily cross-reference materials from multiple sources to yield unique insights into a matter of interest.  However, these online repositories of data are making it much more difficult to maintain the anonymity of those whose confidential information has been de-identified.  De-identified data has many useful purposes; the data can be used in its aggregate for tracking disease, flu outbreaks, tax purposes, etc..  There is a darker use of these many data sources, where those in our society that are ethically challenged use these data sources for socially unproductive purposes.  For example cyber-stalking and cyber-harassment are now serious problems for both companies and individuals – if you ever tried to stop such individuals you will note the absence of a well developed corpus of law in these areas.

De-identified Information is information that does not allow an individual to be identified because specified identifiers have been removed.  Scientists have demonstrated they can often “reidentify” or “de-anonymize” individuals hidden in anonymized data. See Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization (August 13, 2009). University of Colorado Law Legal Studies Research Paper No. 09-12. Available at SSRN: http://ssrn.com/abstract=1450006; see also Cassa, Christopher A; Wieland, Shannon C; and Mandl, Kenneth D. Re-identification of home addresses from spatial locations anonymized by Gaussian skew, International Journal of Health Geographics (August 2008) (available at http://www.ij-healthgeographics.com/content/pdf/1476-072X-7-45.pdf)( finding that multiple de-identified versions of the same data set, each anonymized using a method known as nondeterministic Gaussian skew, can be used to ascertain original geographic locations).

The fundamental flaw with anonymizing data methodologies relates to an adversary being able to find a unique data fingerprint (e.g. date of birth, zip code, and gender), and link that data to auxiliary information or outside information.  A potential adversary can use resources such as the web (Google), public records, blogs, social networks, Facebook, etc; the issue is particularly troublesome when multiple organizations independently release anonymized data about the same or similar populations.  The ultimate balance comes in trying to de-identify data sufficient to withstand inspection by a potential adversary, while also remaining useful for public health, or other similar needs.

De-identification of health information on the one hand is essential, but also can be used to embarrass, extort, or otherwise annoy someone whose information has been disclosed.  With respect to Protected Health Information (PHI), the HIPAA Privacy Rule permits covered entities to release data that have been de-identified without obtaining an authorization and without further restrictions upon use or disclosure because de-identified data is not PHI and, therefore, not subject to the Privacy Rule.  Generally a covered entity can de-identify PHI in one of two ways.  The first way, the “safe-harbor” method, is to remove all 18 identifiers enumerated at section 164.514(b)(2) of the regulations.  Data that are stripped of these 18 identifiers are regarded as de-identified, unless the covered entity has actual knowledge that it would be possible to use the remaining information alone or in combination with other information to identify the subject.  However copious amounts of auxiliary information that is publically available on the Internet may render HIPAA safe-harbor protection impossible.  On the other hand the “actual knowledge” requirement may allow for data that could be readily re-identified by a hacker (super user) (i.e. associating a person with the medical or other confidential data), while the covered entity “reasonably” believes the data are de-identified.

The 18 identifiers are:

a)                  Names;

b)                  Geographic subdivisions smaller than a state;

c)                   All elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used);

d)                  Telephone numbers;

e)                  FAX numbers;

f)                   Electronic mail addresses;

g)                  Social Security numbers;

h)                  Medical record numbers;

i)                    Health plan beneficiary numbers;

j)                    Account numbers;

k)                  Certificate/license numbers;

l)                    Vehicle identifiers and serial numbers including license plates;

m)                Device identifiers and serial numbers;

n)                  Web URLs;

o)                  Internet protocol addresses (IP);

p)                  Biometric identifiers (including finger and voice prints);

q)                  Full face photos and comparable images; and

r)                   Any unique identifying number, characteristic

The second method to de-identify data is to have a qualified statistician determine, using generally accepted statistical and scientific principles and methods, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, be used to identify the subject of the information.  The qualified statistician must document the methods and results of the analysis that justify such a determination. (See 67 Fed, Reg. 53233 (August 14, 2002.))

As is typically the case — if some method is built into the system to allow for re-identification, then the covered entity may not (1) use or disclose the code or other means of record identification for any purposes other than as a re-identification code for the de-identified data, and (2) disclose its method of re-identifying the information.  In essence the method and key (the code) almost become an encryption method, but like with encryption when the key is compromised the data are compromised.

One study using 1990 census data showed that 87% (216 million of 248 million) of the United States population reported characteristics that made them uniquely identifiable using only three pieces of data:  5-digit ZIP, gender, date of birth.  Fifty-three percent of the U.S. population could be uniquely identified using only gender, location (city, town, or municipality), and date of birth.  At the county level approximately 18% of the U.S. population could be uniquely identified.  L. Sweeney. Uniqueness of Simple Demographics in the U.S. Population, LIDAP-WP4. Carnegie Mellon University, Laboratory for International Data Privacy, Pittsburgh, PA: 2000 (available at http://privacy.cs.cmu.edu/dataprivacy/papers/LIDAP-WP4abstract.html)

Interesting the older the population the easier (the more likely) an individual can be uniquely identified.  Accordingly greater care must be taken with the medical data of elderly populations.  Philippe Golle, Revisiting the Uniqueness of Simple Demographics in the US Population (Palo Alto Research Center October 30, 2006)(available at http://www.truststc.org/wise/articles2009/articleM3.pdf).  Additional research has found that when multiple de-identified data sets are made from overlapping data sets re-identification of data becomes progressively easier.  Accordingly even where extremely large geographical areas are used to aggregate data for population studies this information may still be de-identified.

Unlike de-identified data, a limited data set is even easier to re-identify (albeit there are significant legal restrictions on the use of this information).  A limited data set is one that excludes the direct identifiers in 164.514(e)(2). Unlike a de-identified data set, a limited data set is PHI because it may include dates, city, state, and ZIP codes, and other unique identifying codes or characteristics not listed as direct identifiers.  A limited data set may be used or disclosed, without Authorization, for research, public health, or health care operations purposes, in accordance with section 164.512(e), only if the covered entity and limited data set recipient enter into a data use agreement. However, if the use or disclosure could be made under another provision of the Privacy Rule, such as for public health purposes in accordance with section 164.512(b), such agreement is not required.

“Value-added” de-identification that replaces personal health information with tags that retain temporal sequences and the georgraphic context simply may not work in a networked world.  Covered entities, business associates and others who aggregate and de-identify data sets may need to start limiting the downstream rights of licensees’ of de-identified data, and conduct some type of quality assurance proccess of their de-identification techniques.  What works today to de-identify data may not work in a year however your data will likely still be available somewhere on the Internet.  However, simply removing all personal health information may negate the value of the data.

Other Resources:

Federal Committee on Statistical Methodology, Office of Management and Budge, Statistical Policy Working Paper 22 (Revised 2005)- Report on Statistical Disclosure Limitation Methodology (available at http://www.fcsm.gov/working-papers/SPWP22_rev.pdf).

The New York Times reported in article entitled When 2+2 Equals a Privacy Question “Some healthcare concerns say they have been able to offer study data to researchers stripped of specific personal details like your name, phone number, and email address,” but “in some cases researchers may be able to re-identify you by correlating anonymous information with the digital trail that you’ve left on blogs, chat rooms and Twitter.” (see http://www.nytimes.com/2009/10/18/business/18stream.html)

Related Blogs

• Green-ing the World’s Data: A Q&A With IBM’s VP of Energy and Environment » INFRASTRUCTURIST
• Balloon Juice » Blog Archive » C-Span Gold
• systemic » Inside Information
• C-SPAN Launches Free Searchable Online Video Library | Blogza.in.th
• Fresh Code – Barcode For Freshness Indication by Sisi Yuan, Yiwu Qiu, Lei Zhao, Qiulei Huang, Lijun Zhang & Weihang Shu » Yanko Design

          

Is Truly De-identified Data an Impossibility? originally appeared on Law Blog 2.0 on September 11, 2009.

HIPAA Enforcement

CMS had taken limited actions to ensure that covered entities adequately implement the HIPAA Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. Although authorized to do so by Federal, regulations as of February 16,2006, CMS had not conducted any HIPAA Security Rule compliance reviews of covered entities. To fulfill its oversight responsibilities, CMS relied on complaints to identify any noncompliant covered entities that it might investigate. As a result, CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected.

It appears HHS has taken this critique to heart.  HHS recently released notice of an important shift in the internal responsibility/delegation of authority for the monitoring and enforcement of the HIPAA Security Rule (and all additional health IT-related security responsibilities, under ARRA).  Previously responsibility for administering (interpretation, education, guidance, FAQs, etc), monitoring and enforcing the HIPAA Security Rule was a CMS responsibility (specifically, the CMS Office of E-Standards and Services or CMS/OESS).  The administration, monitoring and enforcement of the HIPAA Privacy Rule fell under the Office for Civil Rights (OCR).

As of July 27, 2009 CMS no longer will handle enforcement of the HIPAA Security Rule.  HHS has made the decision to transfer the responsibility to OCR, which will now have the administrative and enforcement authority for both the HIPAA Privacy and HIPAA Security Rules, in addition to all the new ARRA provision on privacy and security (covering security of EHRs).  The Notice will be officially published August 4, 2009 in the Federal Register. (http://www.federalregister.gov/OFRUpload/OFRData/2009-18561_PI.pdf)

Over the past few years since the enactment of both HIPAA Rules, OCR and CMS have worked together on the administration and enforcement of the two rules.  According to their accounting of complaints and cases brought forward, the majority included both Privacy and a Security component.  In addition, the ARRA will result in increased security and enforcement of personal health information on EHRs, it seems HHS thought it would be the right time to make this transition and have a single office within the agency handle both related areas.

It is expected that people will be able to continue filing complaints through the same online system and that during a transition period, CMS will continue to work and now assist OCR in administering the Security enforcement responsibilities, as well as the administration of the Rule.  Increased enforcement is extremely likely.

          

HHS Tranfers Enforcement of the HIPAA Security Rule to OCR (Office of Civil Rights) originally appeared on Law Blog 2.0 on August 5, 2009.