HIPAA Blog

[ Wednesday, June 05, 2013 ]

When States Sell Data: The states of Washington and New York sell "de-identified" databases on hospitalizations, which are useful for researchers, marketers, and others who use "Big Data" to develop products, software, etc. And while name, address, social security number, etc. are stripped out, in some cases there may still be enough information to be able to combine with other information in other publicly-available databases to identify the individual. Bloomberg explains it, and gives a good infographic as well.

This points out a big problem with de-identified data. "Big Data" is the new and coming rage, and we've seen a lot of vendor-provided business associate agreements that specify that the vendor can keep, use, and own any de-identified data it pulls from the PHI it handles. The problem with that is that "de-identified data" might be easily re-identified.

I should note that the WA and NY databases do not meet the "safe harbor" for de-identified data as set out in HIPAA, because it contains dates of service and age (in months instead of years).

Hat tip: Alan Goldberg.

UPDATE: Of course, it's not only states that do this. Congress is trying to push Medicare/Medicaid data online, too.

Jeff [9:55 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template