Making the Case for De-identification

When sharing sensitive data for secondary purposes, there is no question that the data must be de-identified. As proponents of risk-based de-identification, we advocate for risk-measurement to be a major component to any de-identification initiative. Using risk measurement as part of a data sharing strategy has a two-fold benefit:

  1. It ensures that the appropriate level of de-identification can and will be applied to the dataset, thereby allowing different techniques to be used.
  2. It ensures that there is minimal residual risk contained in the dataset after it has been de-identified. This means your organization is protected in the event of a HIPAA audit or, heaven-forbid, a data breach.

Why do we make the case for de-identification

Having a good case for de-identification helps convince data users of the need for having a systematic and repeatable process for “anonymizing” data – de-identifying the data to the point that the individuals in it are rendered anonymous.

This also addresses any resistance if there is a history of getting data with little or no de-identification – risks are high when sharing protected health information. De-identification in inherently an exercise in risk-management.

When is de-identification necessary

De-identification is required to share data when prior consent to release the data was not obtained. Often it’s not practical to obtain consent (for instance, when a new mother is about to deliver her first child). Regardless of consent, it is permissible to share health data, but it must be de-identified under HIPAA’s guidelines first.

Considerations when de-identifying data

Most data custodians are generally reluctant to disclose personal health information even if permitted. However, demand for health data is growing. This is where the case for de-identification practices come in. By applying rigorous de-identification practices into your organization’s workflow, you balance the need for data while maintaining public trust. There is also serious cost avoidance from data breaches – because properly de-identified data is anonymous.Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.”

Free Webinar: De-Identification 101

Join Privacy Analytics for a high level introduction of de-identification and data masking.
Watch now

Free Download: De-Id 101

You have Successfully Subscribed!