T-Space at The University of Toronto Libraries >
Journal of Medical Internet Research >
Volume 8 (2006) >
Please use this identifier to cite or link to this item:
|Title: ||Evaluating Common De-Identification Heuristics for Personal Health Information|
|Authors: ||El Emam, Khaled|
|Keywords: ||Original Paper|
|Issue Date: ||21-Nov-2006|
|Publisher: ||Gunther Eysenbach; Centre for Global eHealth Innovation, Toronto, Canada|
|Citation: ||Khaled El Emam, Sam Jabbouri, Scott Sams, Youenn Drouet, Michael Power. Evaluating Common De-Identification Heuristics for Personal Health Information. J Med Internet Res 2006;8(4):e28 <URL: http://www.jmir.org/2006/4/e28/>|
|Abstract: ||[This item is a preserved copy and is not necessarily the most recent version. To view the current item, visit http://www.jmir.org/2006/4/e28/ ]
With the growing adoption of electronic medical records, there are increasing demands for the use of this electronic clinical data in observational research. A frequent ethics board requirement for such secondary use of personal health information in observational research is that the data be de-identified. De-identification heuristics are provided in the Health Insurance Portability and Accountability Act Privacy Rule, funding agency and professional association privacy guidelines, and common practice.
The aim of the study was to evaluate whether the re-identification risks due to record linkage are sufficiently low when following common de-identification heuristics and whether the risk is stable across sample sizes and data sets.
Two methods were followed to construct identification data sets. Re-identification attacks were simulated on these. For each data set we varied the sample size down to 30 individuals, and for each sample size evaluated the risk of re-identification for all combinations of quasi-identifiers. The combinations of quasi-identifiers that were low risk more than 50% of the time were considered stable.
The identification data sets we were able to construct were the list of all physicians and the list of all lawyers registered in Ontario, using 1% sampling fractions. The quasi-identifiers of region, gender, and year of birth were found to be low risk more than 50% of the time across both data sets. The combination of gender and region was also found to be low risk more than 50% of the time. We were not able to create an identification data set for the whole population.
Existing Canadian federal and provincial privacy laws help explain why it is difficult to create an identification data set for the whole population. That such examples of high re-identification risk exist for mainstream professions makes a strong case for not disclosing the high-risk variables and their combinations identified here. For professional subpopulations with published membership lists, many variables often needed by researchers would have to be excluded or generalized to ensure consistently low re-identification risk. Data custodians and researchers need to consider other statistical disclosure techniques for protecting privacy.|
|Description: ||Reviewer: Tu, Jack|
Reviewer: Fefferman, Nina
|Rights: ||© Khaled El Emam, Sam Jabbouri, Scott Sams, Youenn Drouet, Michael Power. Originally published in the Journal of Medical Internet Research (http://www.jmir.org), 21.11.2006. Except where otherwise noted, articles published in the Journal of Medical Internet Research are distributed under the terms of the Creative Commons Attribution License (http://www.creativecommons.org/licenses/by/2.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited, including full bibliographic details and the URL (see "please cite as" above), and this statement is included.|
|Appears in Collections:||Volume 8 (2006)|
Items in T-Space are protected by copyright, with all rights reserved, unless otherwise indicated.