Health IT: The De-Identification Question
Posted at 3:28 p.m. on May 7, 2014
The rise of health apps has expanded the opportunities for individuals’ data to be used for research purposes, policy analysis, and so on. But what are the complexities involved with making sure people are “de-identified” from their own data, so their privacy can be protected? At an FTC workshop today on consumer-generated health data, panelists spent some time talking about whether there should be a uniform standard.
There isn’t a single definition of de-identification or one “rule that governs everybody,” according to Joy Pitts, chief privacy officer at HHS’ Office of the National Coordinator for Health Information Technology. (There is a Department of Health and Human Services document that offers guidance on where de-identification fits into the Health Insurance Portability and Accountability Act, or HIPPA, but there’s no set of industry best practices.)
So, should there be a standard definition? Sally Okun, vice president for advocacy, policy and patient safety at PatientsLikeMe, a website where users share health information with others, said yes, probably. “There should also be within the business model of the company some inherent responsibility for acknowledging the ability to re-identify information that could be used inappropriately,” she said. Re-identifying individuals happens if their scrubbed data is connected back to them in some way.
“I’m not one necessarily to say we need more regulation, but possibly we need guidance and policies that can help frame these conversations more so that its more transparent to consumers.” Okun said.
Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, said a single standard could be difficult. You want to think about the utility of the information, which he said can’t be done in a “generic” way.
“An effort to do a standard may be really interesting, I just wonder if it wouldn’t boil down to, you know, a few clear cut cases with some more generic case-by-case kind of guidance.” he said.
Earlier, Christopher R. Burrow, an executive vice president of healthcare app company Humetrix, pointed to the HHS de-identification guidance, which cites two studies estimating that more than half of Americans could be “uniquely described” with the combination of gender, zip code and birthday. Burrow said there needs to be a way to avoid reassembling those three facts.