Properly
de-identified data is not further controlled by HIPAA and it need not
be given the privacy protection of PHI under this
regulation (although other laws, standards and
practices may apply.) As personal information become more
pervasive and Internet search engines become smarter, demographic data must be considered to be generally available. And there's the
problem.
If you claim that
it will always be possible to accurately match a set of
de-identified data data back to a specific patient or, for that matter,
that it's always possible to decrypt encrypted information,
you are probably correct. These are difficult tasks to accomplish but
they aren't impossible.
However, HIPAA
doesn't require re-identification to be impossible. It simply requires that
the "risk is very small that the information [in question] could be used,
alone or in combination with other reasonably available information, by an
anticipated recipient to identify an individual who is a subject of the
information."
So one issue is how
small is "very small"? A probability of zero is as small as you can
get but HIPAA doesn't imply that. A probability of one in a
million is certainly very small. Isn't a risk of one in one
hundred thousand also "very small"? Is 1 in 1,000 no longer a "very small"
risk? Where's the law's "reasonable woman" when you need her
advice?
________________________________________
James E. McNamee, PhD
Associate Dean of Information Services and CIO
School of Medicine
University of Maryland, Baltimore
Information Services, Room 214
100 N. Greene St.
Baltimore, MD 21201
James E. McNamee, PhD
Associate Dean of Information Services and CIO
School of Medicine
University of Maryland, Baltimore
Information Services, Room 214
100 N. Greene St.
Baltimore, MD 21201
voice: 410-706-2881
fax:
410-706-4871
e-mail: [EMAIL PROTECTED]
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
