Roll Call: Latest News on Capitol Hill, Congress, Politics and Elections
February 14, 2016

Health IT: The De-Identification Question

The rise of health apps has expanded the opportunities for individuals’ data to be used for research purposes, policy analysis, and so on. But what are the complexities involved with making sure people are “de-identified” from their own data, so their privacy can be protected? At an FTC workshop today on consumer-generated health data, panelists spent some time talking about whether there should be a uniform standard.

There isn’t a single definition of de-identification or one “rule that governs everybody,” according to Joy Pitts, chief privacy officer at HHS’ Office of the National Coordinator for Health Information Technology. (There is a Department of Health and Human Services document that offers guidance on where de-identification fits into the Health Insurance Portability and Accountability Act, or HIPPA, but there’s no set of industry best practices.)

So, should there be a standard definition? Sally Okun, vice president for advocacy, policy and patient safety at PatientsLikeMe, a website where users share health information with others, said yes, probably. “There should also be within the business model of the company some inherent responsibility for acknowledging the ability to re-identify information that could be used inappropriately,” she said. Re-identifying individuals happens if their scrubbed data is connected back to them in some way.

“I’m not one necessarily to say we need more regulation, but possibly we need guidance and policies that can help frame these conversations more so that its more transparent to consumers.” Okun said.

Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, said a single standard could be difficult. You want to think about the utility of the information, which he said can’t be done in a “generic” way.

“An effort to do a standard may be really interesting, I just wonder if it wouldn’t boil down to, you know, a few clear cut cases with some more generic case-by-case kind of guidance.” he said.

Earlier, Christopher R. Burrow, an executive vice president of healthcare app company Humetrix, pointed to the HHS de-identification guidance, which cites two studies estimating that more than half of Americans could be “uniquely described” with the combination of gender, zip code and birthday. Burrow said there needs to be a way to avoid reassembling those three facts.

  • Haymitch Abernathy

    At least one member of the press has the courage to call out Hussein Obama for his lies about your medical care:

    • pingpal

      No bias at Fox News, no sir!

  • darrelldk

    I think dentistry would be a logical place for healthcare to explore de-identification of EHRs – even dentists’ primary records. Dentists do not need social security numbers, addresses and birthdates to perform their work, and there is no black market value for dental histories. The other 18 Protected Health Information items can be safely stored and retrieved from elsewhere, perhaps even on paper. Better yet, a security tool called tokenization, which merchants have been safely using for over a decade, assigns meaningless “tokens” to represent the true value of the personal information which is guarded by the token vendor – thereby eliminating all PHI from the computer except pure dental records. Outside the morgue, dental records are of little use in re-identifying the owner, even if one wanted to. That cannot be said for medical records. Got to start somewhere, and encryption is just not happening.

    • annekimdc

      Interesting. Do you think dentists would be interested in implementing data encryption? Would it be complicated or costly to deploy for dental records, or do you think it would be relatively straightforward?

      • Darrell Pruitt

        Thanks for responding, annekimdc. Sorry I didn’t reply sooner. I wasn’t notified (?) and happened across the article again. You asked, “Do you think dentists would be interested in implementing data encryption?” The fact that very few (if any) dentists have adopted encryption at rest after years of being urged to do so by HHS as well as the American Dental Association, says “No.” Your second question: “Would it be complicated or costly to deploy for dental records, or do you think it would be relatively straightforward?” Compared to sending unencrypted, de-identified dental records in common emails, encryption obviously takes more time. What’s more, encrypting and decrypting massive imaging files is unnecessary if the patient’s name,birth date and 18 other ePHI items are not included in the email.

  • pingpal

    We need to have a single, enforceable standard for de-identification. This will increase certainty for vendors and enable them to have a standard they can use. It works in the computer business — standards are set for the whole industry. The range of USB connectors is the same across the industry. That is what should be done for the healthcare industry as it forges forward into this new territory..

Sign In

Forgot password?



Receive daily coverage of the people, politics and personality of Capitol Hill.

Subscription | Free Trial

Logging you in. One moment, please...