May 21, 2019

May 21, 2019

Subscribe to Latest Legal News and Analysis

May 20, 2019

Subscribe to Latest Legal News and Analysis

Erosion of Anonymity: Mitigating the Risk of Re-identification of De-identified Health Data

One well-recognized way to protect patient privacy is to de-identify health data.  However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models.  While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information to reveal the identity of the individual.

Last month, a JAMA article demonstrated that an artificial intelligence algorithm could re-identify de-identified data stripped of identifiable demographic and health information. In the demonstration, an algorithm was utilized to identify individuals by pairing daily patterns in physical mobility data with corresponding demographic data. This study revealed that re-identification risks can arise when a de-identified dataset is paired with a complementary resource.

In light of this seeming erosion of anonymity, entities creating, using and sharing de-identified data should ensure that they (1) employ compliant and defensible de-identification techniques and data governance principles and (2) implement data sharing and use agreements to govern how recipients use and safeguard such de-identified data.

De-identification Techniques and Data Governance

The HIPAA Privacy Rule (45 C.F.R. §164.502(d)) permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications (45 C.F.R. §164.514(a)-(b)).

In 2012, the Office for Civil Rights (OCR) provided guidance on the de-identification standards. Specifically, OCR provided granular and contextual technical assistance regarding (i) utilizing a formal determination by a qualified expert (the “Expert Determination” method); or (ii) removing specified individual identifiers in the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (the “Safe Harbor” method).

As publicly-available datasets expand and technology advances, ensuring the Safe Harbor method sufficiently mitigates re-identification risk becomes more difficult.  This is due to the fact that more data and computing power arguably increase the risk that de-identified information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Given the apparent practical defects in the “Safe Harbor” method, many organizations are applying a more risk-based approach to de-identification through the use of the “Expert Determination” method.  This method explicitly recognizes that risk of re-identification may never be completely removed. Under this method, data is deemed de-identified if after applying various deletion or obfuscation techniques the “risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information . . . .”

In light of the residual risks associated with de-identified data generally, it is important that organizations continue to apply good data governance principles when using and disclosing such data.  These best practices should include: data minimization, storage limitation, and data security.  Organizations should also proceed with caution when linking data sets together in a manner that could compromise the integrity of the techniques used to originally de-identify the data.

Data Sharing and Use Agreements

Regardless of the de-identification approach, the lingering risk of re-identification can be further managed through contracts with third parties who receive such data.  Though not required by the Privacy Rule, an entity providing de-identified data to another party should enter into a data sharing and use agreement with the recipient.  Such agreements may include obligations to secure the data, prohibit re-identification of the data, place limitations on linking data sets, and contractually bind the recipient to pass on similar requirements to any downstream other party with whom the data is subsequently shared. Further, such agreements may include provisions prohibiting recipients from attempting to contact individuals who provided data in the set and may also include audit rights to ensure compliance.

The risk of re-identification may be a tradeoff to realize the vast benefits that sharing anonymized health data provides; however, entities creating, using and sharing de-identified data should doing so responsibly and defensibly.

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

202-861-5320
Elizabeth Scarola Health Care Attorney
Associate

ELIZABETH SCAROLA is an Associate in the Health Care and Life Sciences practice, in the St. Petersburg office of Epstein Becker Green. She brings an insider’s perspective to her health care practice. In addition to her work on strategic, operational, and legal projects for a large, statewide clinically integrated network of hospitals and providers, she has hands-on scientific research experience. Ms. Scarola has conducted independent research in pediatric endocrinology and contributed to such publications as the Journal of the American Medical Association and The New England Journal of Medicine. Her background gives her a deep understanding of health policy, the Affordable Care Act, value-based reimbursement, population health, and translational research.

Ms. Scarola helps health care clients navigate the complexity of implementing strategic and operational initiatives in today’s complex regulatory environment. Her services include:

  • Advising hospital, provider, pharmaceutical, and medical device manufacturer clients on such federal and state regulatory matters as the Anti-Kickback Statute, self-referral laws, HIPAA compliance, and federal and private payor issues (including bundled payments) and risk-based contracting

  • Guiding clients through strategic affiliations and transactions, including mergers, acquisitions, joint ventures, and contract negotiations

  • Drafting and negotiating various contracts, including asset purchase agreements, joint venture agreements, vendor agreements, physician recruitment agreements, physician employment agreements, and medical director agreements

  • Negotiating clinical trial agreements on behalf of hospitals

  • Counseling clients on corporate governance and compliance matters

Before joining Epstein Becker Green, Ms. Scarola was an attorney in the Health Care practice group of a national law firm. Prior to that, she was an instructor for an undergraduate course on health care policy, medical ethics, patient safety, and the Affordable Care Act at the University of Michigan. She holds a Master in Medical Science degree from Boston University School of Medicine and a Master of Health Services Administration from the University of Michigan.

In addition to her work at a large clinically integrated network of hospitals and providers in Michigan, Ms. Scarola served as a Legal Extern in the Offices of Corporate Counsel for a national, not-for-profit Catholic health system based in Michigan and an academic medical center in Indiana, where she analyzed a variety of litigation and transactional issues in collaboration with General Counsel. She also externed at a not-for-profit, specialty hospital in Indiana, where she assisted the hospital in enrolling in the state’s Medicaid waiver program.

Ms. Scarola also has been involved in a variety of volunteer initiatives. She is passionate about her work as a Director of Seeds of Hope for La Victoria, Inc., a nonprofit that provides medical assistance to residents of La Victoria, Dominican Republic. She has been involved with the nonprofit since its founding, traveling to the area over 10 times, as well as leading others on medical mission trips to the region.

727-551-4356