July 3, 2012
Do you know that your de-identified personal health data, once it has been de-identified, is no longer subject to HIPAA regulations and can be used for any purpose? Or, that there are algorithms that allow unrelated data sets (medical records, financial records, etc.) to be “linked together” – identifying the data in terms of a specific individual (namely you)? Or, that re-identifying individual consumer health information is technically legal?
I didn’t know any of this until I read a recent paper published in the Journal of the American Medical Informatics Association – Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data. The paper focused on the concept and practice of re-identification, or “the linkage of de-identified personal information with an overt identifier which belongs or is assigned to a living or dead individual.”
HIPAA recognizes three types of health data sets – fully identifiable, limited identifiable data, and de-identified data. There are many good reasons to create large health data sets of both identifiable and de-identified data – health care decision support, quality improvement, and medical research – to name a few. Some real world examples of re-identification also include a reporter who recently identified the previously obscured identity of a physician in the National Practitioner Data Bank data set (see Who’s Afraid of Performance Data? all members) , an Equifax “ability to pay” service that rates and ranks consumers’ ability to pay for services, and the FICO Medication Adherence Score (see What Is the FICO Medication Adherence Score?).
In the case of FICO – a “predictive analytics” company – they score patient adherence using an algorithm that takes prescriptions, sorts out information such as who did and did not fill those prescriptions, the rate patients use the medications (based on refills), and the reasons patients may have been prescribed those medications. FICO purchases the original data from pharmacies and then sells these scores to health care organizations (see FICO Medication Adherence Score).
And, consumer concerns about data uses like these are many, including fear of job loss, insurance discrimination, and credit denial (see Dr. Deborah C. Peel’s great 2007 OPEN MINDS Institute for Behavioral Health Informatics keynote, Privacy and Confidentiality Concerns in the Nationwide Health Information Network ).
Since all of us are consumers of health care services on an individual level, we should advocate for more specific rules governing the uses of our personal health information – i.e. prohibitions on the unauthorized re-identification of de-identified data, better de-identification methodologies and increased public transparency about data use. On the organizational level, it is important for your organization to have clear policies and procedures about your electronic health care data, access controls, auditing trails, staff training, and the availability of legal counsel when there is any concern of how your data is being utilized, de-identified, or cloud-stored.
Monica E. Oss
Chief Executive Officer, OPEN MINDS
For another free resource, see: Is Health Information Technology Deregulating Patient Privacy? all members
This is free for the next sixty days to all registered OPEN MINDS Circle members.