Privacy Interests in Prescription Data, Part 2: Patient Privacy

Emam, Khaled El; Kosseim, Patricia

doi:10.1109/msp.2009.47

Cited by 18 publications

(6 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Within the framework of HIPAA, one can then use the statistical standard for de-identification. This is consistent with privacy legislation and regulations in other jurisdictions, which tend not to be prescriptive and allow a more context-dependant interpretation of identifiability [ 26 ].…”

Section: De-identification Standardssupporting

confidence: 82%

See 1 more Smart Citation

Methods for the de-identification of electronic health records for genomic research

Emam

2011

Genome Med

Self Cite

View full text Add to dashboard Cite

Electronic health records are increasingly being linked to DNA repositories and used as a source of clinical information for genomic research. Privacy legislation in many jurisdictions, and most research ethics boards, require that either personal health information is de-identified or that patient consent or authorization is sought before the data are disclosed for secondary purposes. Here, I discuss how de-identification has been applied in current genomic research projects. Recent metrics and methods that can be used to ensure that the risk of re-identification is low and that disclosures are compliant with privacy legislation and regulations (such as the Health Insurance Portability and Accountability Act Privacy Rule) are reviewed. Although these methods can protect against the known approaches for re-identification, residual risks and specific challenges for genomic research are also discussed.

show abstract

Section: De-identification Standardssupporting

confidence: 82%

“…All the publicly known examples of re-identification of personal information have involved identity disclosure [ 17 - 26 ]. Therefore, the focus is on identity disclosure because it is the type that is known to have occurred in practice.…”

Section: De-identification: Definitions and Conceptsmentioning

confidence: 99%

Methods for the de-identification of electronic health records for genomic research

Emam

2011

Genome Med

Self Cite

View full text Add to dashboard Cite

show abstract

“…This concern is strengthened by various investigations that have demonstrated how de-identified health information can be re-identified. [73][74][75][76][77][78][79][80] However, there is a significant difference between the description of a path by which health information could be re-identified and the likelihood that such a path would be leveraged by an adversary in the real world. 81 While geocodes may facilitate patient re-identification, they are not necessarily explicit identifiers in their own right.…”

Section: Ethical Considerationsmentioning

confidence: 99%

Ethical and practical challenges to studying patients who opt out of large-scale biorepository research

Rosenbloom

Madison

Bowton

et al. 2013

J Am Med Inform Assoc

View full text Add to dashboard Cite

Large-scale biorepositories that couple biologic specimens with electronic health records containing documentation of phenotypic expression can accelerate scientific research and discovery. However, differences between those subjects who participate in biorepository-based research and the population from which they are drawn may influence research validity. While an opt-out approach to biorepository-based research enhances inclusiveness, empirical research evaluating voluntariness, risk, and the feasibility of an opt-out approach is sparse, and factors influencing patients' decisions to opt out are understudied. Determining why patients choose to opt out may help to improve voluntariness, however there may be ethical and logistical challenges to studying those who opt out. In this perspective paper, the authors explore what is known about research based on the opt-out model, describe a large-scale biorepository that leverages the opt-out model, and review specific ethical and logistical challenges to bridging the research gaps that remain.

show abstract

“…Known re-identifications of personal information that have actually occurred are identity disclosures, for example: (a) reporters re-identified an individual's records from web search queries publicly posted by AOL [ 35 - 37 ], (b) students re-identified individuals in the Chicago homicide database by linking it with the social security death index [ 38 ], (c) at least one individual was believed to be re-identified by linking their movie ratings in a publicly disclosed Netflix file to another public movie ratings database [ 39 ], (d) the insurance claims records of the governor of Massachusetts were re-identified by linking a claims database sold by the state employees' insurer with the voter registration list [ 31 ], (e) an expert witness re-identified most of the records in a neuroblastoma registry [ 40 , 41 ], (f) a national broadcaster matched the adverse drug event database with public obituaries to re-identify a 26 year old girl who died while taking a drug and did a documentary on the drug afterwards [ 42 ], (g) an individual in a prescriptions record database was re-identified by a neighbour [ 43 ], and (h) the Department of Health and Human Services in the US linked a large medical database with a commercial database and re-identified a number of individuals [ 44 ].…”

Section: Definitionsmentioning

confidence: 99%

De-identifying a public use microdata file from the Canadian national discharge abstract database

Emam

Dankar

et al. 2011

BMC Med Inform Decis Mak

View full text Add to dashboard Cite

BackgroundThe Canadian Institute for Health Information (CIHI) collects hospital discharge abstract data (DAD) from Canadian provinces and territories. There are many demands for the disclosure of this data for research and analysis to inform policy making. To expedite the disclosure of data for some of these purposes, the construction of a DAD public use microdata file (PUMF) was considered. Such purposes include: confirming some published results, providing broader feedback to CIHI to improve data quality, training students and fellows, providing an easily accessible data set for researchers to prepare for analyses on the full DAD data set, and serve as a large health data set for computer scientists and statisticians to evaluate analysis and data mining techniques. The objective of this study was to measure the probability of re-identification for records in a PUMF, and to de-identify a national DAD PUMF consisting of 10% of records.MethodsPlausible attacks on a PUMF were evaluated. Based on these attacks, the 2008-2009 national DAD was de-identified. A new algorithm was developed to minimize the amount of suppression while maximizing the precision of the data. The acceptable threshold for the probability of correct re-identification of a record was set at between 0.04 and 0.05. Information loss was measured in terms of the extent of suppression and entropy.ResultsTwo different PUMF files were produced, one with geographic information, and one with no geographic information but more clinical information. At a threshold of 0.05, the maximum proportion of records with the diagnosis code suppressed was 20%, but these suppressions represented only 8-9% of all values in the DAD. Our suppression algorithm has less information loss than a more traditional approach to suppression. Smaller regions, patients with longer stays, and age groups that are infrequently admitted to hospitals tend to be the ones with the highest rates of suppression.ConclusionsThe strategies we used to maximize data utility and minimize information loss can result in a PUMF that would be useful for the specific purposes noted earlier. However, to create a more detailed file with less information loss suitable for more complex health services research, the risk would need to be mitigated by requiring the data recipient to commit to a data sharing agreement.

show abstract

Privacy Interests in Prescription Data, Part 2: Patient Privacy

Cited by 18 publications

References 3 publications

Methods for the de-identification of electronic health records for genomic research

Methods for the de-identification of electronic health records for genomic research

Ethical and practical challenges to studying patients who opt out of large-scale biorepository research

De-identifying a public use microdata file from the Canadian national discharge abstract database

Contact Info

Product

Resources

About