[ Tuesday, October 27, 2015 ]
Data De-Identification Carries Risk Under HIPAA
Jeff [9:28 AM]
: Interesting article
on the risks of re-identification of de-identified data. Two key points: as Deven McGraw points out, de-identification isn't intended to be a zero-risk proposition. In fact, nothing
in HIPAA is zero-risk. Even permitted disclosures for treatment purposes can over-expose data. The question is how low is the risk, what are the benefits, and do the benefits outweigh the risks.
Second point: spot the red herring. 87% of all Americans are uniquely identified if you know their date of birth, sex, and zip code. Guess what? If you add one more data point (social security number), 100% of all Americans are uniquely identified. However, THAT AIN'T DE-IDENTIFIED DATA! Under the HIPAA safe harbor for de-identification, you must remove date of birth and replace it with year (and, if the person is 90 or older, you can't even use year, just "90 or older"). And you must remove the last 3 digits of zip code (and if the remaining zip code contains fewer than 20,000 people, you have to remove the entire zip code and only use the state name). How many Americans are uniquely identified by YEAR of birth, sex and FIRST 2 DIGITS of zip code (or state), Professor Sweeney?
Blogger: HIPAA Blog - Edit your Template