Hostname: page-component-cd9895bd7-jkksz Total loading time: 0 Render date: 2024-12-25T20:25:34.799Z Has data issue: false hasContentIssue false

Weaving Technology and Policy Together to Maintain Confidentiality

Published online by Cambridge University Press:  01 January 2021

Extract

Organizations often release and receive medical data with all explicit identifiers, such as name, address, telephone number, and Social Security number (SSN), removed on the assumption that patient confidentiality is maintained because the resulting data look anonymous. However, in most of these cases, the remaining data can be used to reidenafy individuals by linking or matching the data to other data bases or by looking at unique characteristics found in the fields and records of the data base itself. When these less apparent aspects are taken into account, each released record can map to many possible people, providing a level of anonymity that the recordholder determines. The greater the number of candidates per record, the more anonymous the data.

I examine three general-purpose computer programs for maintaining patient confidentiality when disclosing electronic medical records: the Scrub System, which locates and suppresses or replaces personally identifying information in letters between doctors and in notes written by clinicians; the Datafly System, which generalizes values based on a profile of the data recipient at the time of disclosure; and the μ-Argus System, a somewhat similar system which is becoming a European standard for disclosing public use data.

Type
Article
Copyright
Copyright © American Society of Law, Medicine and Ethics 1997

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Kohane, I. et al., “Sharing Electronic Medical Records Across Heterogeneous and Competing Institutions,” in Cimino, J., ed., Proceedings, American Medical Informatics Association (Washington, D.C.: Hanley & Belfus, 1996): 608–12.Google Scholar
Office of Technology Assessment, Protecting Privacy in Computerized Medical Information (Washington, D.C.: U.S. Government Printing Office, 1993).Google Scholar
See Gostin, L.O. et al., “Privacy and Security of Personal Information in a New Health Care System,” JAMA, 270 (1993): At 2487 (citing Louis Harris and Associates, The Equifax Report on Consumers in the Information Age (Atlanta: Equifax, 1993)).Google Scholar
Louis Harris and Associates, The Equifax-Harris Consumer Privacy Survey (Atlanta: Equifax, 1994).Google Scholar
Cooper, G. et al., “An Evaluation of Machine-Learning Methods for Predicting Pneumonia Mortality,” Artificial Intelligence in Medicine, 9, no. 2 (1997): 107–38.Google Scholar
See Kohane, et al., supra note 1.Google Scholar
Woodward, B., “Patient Privacy in a Computerized World,” 1997 Medical and Health Annual (Chicago: Encyclopedia Britannica, 1996): 256–59.Google Scholar
National Association of Health Data Organizations, A Guide to State-Level Ambulatory Care Data Collection Activities (Falls Church: National Association of Health Data Organizations, Oct. 1996).Google Scholar
Clayton, P. et al., National Research Council, For the Record: Protecting Electronic Health Information (Washington, D.C.: National Academy Press, 1997).Google Scholar
See, for example, Shalala, Donna E., Address at the National Press Club, Washington, D.C. (July 31, 1997).Google Scholar
Woodward, B., “The Computer-Based Patient Record and Confidentiality,” N. Engl. J. Med., 333 (1995): 1419–22.Google Scholar
Linowes, D. and Spencer, R., “Privacy: The Workplace Issue of the ’90s,” John Marshall Law Review, 23 (1990): 591620.Google Scholar
Grady, D., “Hospital Files as Open Book,” New York Times, Mar. 12, 1997, at C8.Google Scholar
See Clayton, et al., supra note 9.Google Scholar
“Who's Reading Your Medical Records,” Consumer Reports, Oct. (1994): 628–32.Google Scholar
Alexander, L. and Jabine, T., Social Security Bulletin: Access to Social Security Microdata Files for Research and Statistical Purposes, 41, no. 8 (1978).Google ScholarPubMed
Sweeney, L., “Replacing Personally-Identifying Information in Medical Records, the Scrub System,” in Cimino, , supra note 1, at 333–37.Google Scholar
Kohane, I., “Getting the Data In: Three-Year Experience with a Pediatric Electronic Medical Record System,” in Ozbolt, J., ed., Proceedings, Symposium on Computer Applications in Medical Care (Washington, D.C.: Hanley & Belfus, 1994): 457–61.Google Scholar
Barnett, G., “The Application of Computer-Based Medical-Record Systems in Ambulatory Practice,” N. Engl. J. Med., 310 (1984): 1643–50.Google Scholar
Anon., Privacy & Confidentiality: Is It a Privilege of the Past?, Remarks at the Massachusetts Medical Society's Annual Meeting, Boston, Mass. (May, 18, 1997).Google Scholar
Government Accounting Office, Fraud and Abuse in Medicare and Medicaid: Stronger Enforcement and Better Management Could Save Billions (Washington, D.C.: Government Accounting Office, HRD-96-320, June 27, 1996).Google Scholar
See Sweeney, , supra note 17.Google Scholar
See National Association of Health Data Organizations, supra note 8.Google Scholar
See Sweeney, L., “Computational Disclosure Control for Medical Microdata, the Datafly System,” Proceedings of the Bureau of the Census Record Linkage Workshop (Washington, D.C.: Bureau of the Census, 1997): Forthcoming.Google Scholar
For guidelines, see Sweeney, L.Guaranteeing Anonymity When Sharing Medical Data, the Datafly System,Proceedings, American Medical Informatics Association (Nashville: Hanley & Belfus, 1997): Forthcoming.Google Scholar
Lasalandra, M., “Panel Told Releases of Med Records Hurt Privacy,” Boston Herald, Mar. 20, 1997, at 35.Google Scholar
Hundepool, A. and Willenborg, L., “mu- and tau-Argus: Software for Statistical Disclosure Control,” Third International Seminar on Statistical Confidentiality (1996) (available at <http://www.cbs.nl/sdc/argus1.html>..>Google Scholar
For a presentation of the concepts on which μ-Argus is based, see Willenborg, L. and De Waal, T., Statistical Disclosure Control in Practice (New York: Springer-Verlag, 1996).Google Scholar
Kirkendall, N. et al., Report on Statistical Disclosure Limitation Methodology, Statistical Policy Working Paper (Washington, D.C.: Office of Management and Budget, no. 22, 1994).Google Scholar
For a more in-depth discussion, see Sweeney supra note 26.Google Scholar
Sweeney, L., “Towards the Optimal Suppression of Details When Disclosing Medical Data, the Use of Sub-Combination Analysis,” Proceedings of the 9th World Conference on Medical Informatics (1998): Forthcoming.Google Scholar
See Kirkendall, et al., supra note 31.Google Scholar
Duncan, G. and Lambert, D., “The Risk of Disclosure for Microdata,” Proceedings of the Bureau of the Census Third Annual Research Conference (Washington, D.C.: Bureau of the Census, 1987): 263–74.Google Scholar
Skinner, C. and Holmes, D., “Modeling Population Uniqueness,” Proceedings of the International Seminar on Statistical Confidentiality (Dublin: International Statistical Institute, 1992): 175–99.Google Scholar
For example, Latanya Sweeney's testimony before the Massachusetts Health Care Committee had a chilling effect on the proceedings that postulated that the release of deidentified medical records provided anonymity. See Session of the Joint Committee on Health Care, Massachusetts State Legislature, (Mar. 19, 1997) (testimony of Latanya Sweeney, computer scientist, Massachusetts Institute of Technology). Though the Bureau of the Census has always been concerned with the anonymity of public use files, they began new experiments to measure uniqueness in the population as it relates to public use files. Computer scientists who specialize in data base security are reexamining access models in light of these works.Google Scholar