De-identification

De-identification is the process used to prevent a person’s identity from being connected with information. Common uses of de-identification include human subject research for the sake of privacy for research participants. Common strategies for de-identifying datasets are deleting or masking personal identifiers, such as name and social security number, and suppressing or generalizing quasi-identifiers, such as date of birth and zip code. The reverse process of defeating de-identification to identify individuals is known as re-identification.

Example

A survey is conducted, such as a census, to collect information about a group of people. To encourage participation and to protect the privacy of survey respondents, the researchers attempt to design the survey in such a way that people can participate in the survey and when the result is published it will not be possible to match any participant's individual response with any data published in the result.

Anonymization and de-identification

Anonymization refers to irreversibly severing a data set from the identity of the data contributor in a study to prevent any future re-identification, even by the study organizers under any condition.^[1]^[2] De-identification is also a severing of a data set from the identity of the data contributor, but may include preserving identifying information which could only be re-linked by a trusted party in certain situations.^[1]^[2]^[3] There is a debate in the technology community of whether data that can be re-linked, even by a trusted party, should ever be considered de-identified.

Applications

Research into de-identification is driven mostly for protecting health information.^[4] Some libraries have adopted methods used in the healthcare industry to preserve their readers' privacy.^[4]

Limits

Whenever a person participates in genetics research the donation of a biological specimen often results in the creation of a large amount of personalized data. Such data is uniquely difficult to de-identify.^[5]

Anonymization of genetic data is particularly difficult because of the huge amount of genotypic information in biospecimens,^[5] the ties that specimens often have to medical history,^[6] and the advent of modern bioinformatics tools for data mining.^[6] There have been demonstrations that data for individuals in aggregate collections of genotypic data sets can be tied to the identities of the specimen donors.^[7]

Some researchers have suggested that it is not reasonable to ever promise participants in genetics research that they can retain their anonymity, but instead such participants should be taught the limits of using coded identifiers in a de-identification process.^[2]

De-identification laws in the United States of America

Safe harbor

Sometimes a researcher will have data about human subjects of significance to other researchers and want to share that data. A common case is that hospitals collect large amounts of medical statistics on their patients and it would be useful for medical research for other entities to review that data. In this case, it would be unethical to reveal the identities of the people whose data would be shared, because those people have a right to privacy. In order to share the data, it must first be de-identified so that no particular person can be associated with their data set by anyone who sees the data.

The problem is that it is hard to determine what kind of data can identify a person. One model for determining what data cannot be shared is the United States' policy on protected health information, which gives a list of identifying data. If a researcher removes protected health information from a data set, then the term for that researcher's state is that the researcher is in a "safe harbor" for having taken reasonable action to protect the identities of those whose data the researchers collected.^[8]

Research on decedents

The key law about research in electronic health record data is HIPAA Privacy Rule. This law allows use of electronic health record of deceased subjects for research (HIPAA Privacy Rule (section 164.512(i)(1)(iii)))^[9]

References

↑ 1.0 1.1 Godard, B. A.; Schmidtke, J. R.; Cassiman, J. J.; Aymé, S. G. N. (2003). "Data storage and DNA banking for biomedical research: Informed consent, confidentiality, quality issues, ownership, return of benefits. A professional perspective". European Journal of Human Genetics 11: S88–122. doi:10.1038/sj.ejhg.5201114. PMID 14718939.
↑ 2.0 2.1 2.2 Fullerton, S. M.; Anderson, N. R.; Guzauskas, G.; Freeman, D.; Fryer-Edwards, K. (2010). "Meeting the Governance Challenges of Next-Generation Biorepository Research". Science Translational Medicine 2 (15): 15cm3. doi:10.1126/scitranslmed.3000361. PMC 3038212. PMID 20371468.
↑ http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2244902/
↑ 4.0 4.1 Nicholson, S.; Smith, C. A. (2006). "Using lessons from health care to protect the privacy of library users: Guidelines for the de-identification of library data based on HIPAA". Proceedings of the American Society for Information Science and Technology 42: n/a. doi:10.1002/meet.1450420106.
↑ 5.0 5.1 McGuire, A. L.; Gibbs, R. A. (2006). "GENETICS: No Longer De-Identified". Science 312 (5772): 370–371. doi:10.1126/science.1125339. PMID 16627725.
↑ 6.0 6.1 Thorisson, G. A.; Muilu, J.; Brookes, A. J. (2009). "Genotype–phenotype databases: Challenges and solutions for the post-genomic era". Nature Reviews Genetics 10 (1): 9–18. doi:10.1038/nrg2483. PMID 19065136.
↑ Homer, N.; Szelinger, S.; Redman, M.; Duggan, D.; Tembe, W.; Muehling, J.; Pearson, J. V.; Stephan, D. A.; Nelson, S. F.; Craig, D. W. (2008). Visscher, Peter M., ed. "Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays". PLoS Genetics 4 (8): e1000167. doi:10.1371/journal.pgen.1000167. PMC 2516199. PMID 18769715.
↑ "HIPAA Privacy Rule and Its Impacts on Research". privacyruleandresearch.nih.gov. 2011. Retrieved 9 December 2011.
↑ 45 C.F.R. 164.512)

External links

A training series on United States government de-identification standards
Guidance Regarding Methods for De-identification of Protected Health Information

Personal genomics

Data collection	Biobank Biological database

Field concepts	Biological specimen De-identification Human genetic variation Genetic linkage Single-nucleotide polymorphisms Identity by descent Genetic disorder

Applications	Personalized medicine Predictive medicine Genetic epidemiology

Analysis techniques	Whole genome sequencing Genome-wide association study SNP array

Major projects	Human Genome Project International HapMap Project 　1000 Genomes Project

Telemedicine

Background concepts	Health informatics Telecommunication

Medical record	Admission note Blue Button De-identification Electronic health record Health Insurance Portability and Accountability Act Personal health record

Patient participation	Decision aids Doctor–patient relationship E-patient Health 2.0 Health education Knowledge translation mHealth Participative decision-making Participatory medicine Patient Activation Measure Patient-centered care Shared decision-making

Health information on the Internet	Health information on Wikipedia Online patient education PubMed

Telemedicine subspecialties	eHealth Remote surgery Remote therapy Tele-audiology Tele-epidemiology Teledentistry Teledermatology Telehealth Telemental health Telenursing Teleophthalmology Telepathology Telepharmacy Telepsychiatry Teleradiology Telerehabilitation

Roles to play	Open-source healthcare software Patient opinion leader Research participant Virtual patient