Wednesday, July 1, 2009

Will Stronger Privacy Protections Result in Better Health Data? The Health Privacy Project Recommendations

The Health Privacy Project of the Center for Democracy & Technology (CDT) recently released a paper arguing for changes in how the HIPAA Privacy Rule protects "de-identified" health information. The recommendations grow from a one-day, CDT workshop held in September 2008. The Health Privacy Project makes the following eight recommendations:

1. Re-examine the Privacy Rule de-identification provisions (in particular, the safe harbor method for de-identification);
2. Strengthen accountability by requiring data use agreements;
3. Expand data anonymization options under the Privacy Rule;
4. Provide incentives to use less than fully identifiable data for certain purposes;
5. Provide support through “Centers of Excellence” in de-identification;
6. Require or encourage the use of limited access datasets and other technical solutions;
7. Require education and training of staff de-identifying data; and
8. Consider increasing public transparency regarding uses of de-identified data.


The Project argues that the HHS needs to re-examine the Privacy Rule "to ensure that the de-identification standard remains robust as re-identification becomes easier."

For readers struggling with the "Babel" of data privacy vocabulary (for example, what's the difference between "anonymous" and "anonymized"?), these recommendations may open the door to additional confusion, especially if #3 (above) means that additional categories of protected data are created. The Privacy Rule currently offers two categories data which are exempt from regulation: "de-identified" (presumed to be beyond the risk of re-identification and therefore not regulated) and not fully identifiable, "limited data sets" (incomplete data which includes some identifiers, for example: birth dates). While the Rule's current categories may seem simple, The Health Privacy Project notes that a "one-size-fits-all de-identification approach" does not, one the one hand, meet the diverse data needs of researchers and health providers, nor does it, on the other hand, provide sufficient protections in era of evolving data technologies.

Reference:

The Health Privacy Project, Center for Democracy & Technology. Encouraging the use of, and rethinking protections for de-identified (and “anonymized”) health data. Center for Democracy & Technology, June 2009. http://www.cdt.org/healthprivacy/20090625_deidentify.pdf

Related:

Knoppers BM, Saginur M. The Babel of genetic data terminology. Nat Biotechnol. 2005 Aug;23(8):925-7. PubMed PMID: 16082354.

Sharyl J. Nass, Laura A. Levit, and Lawrence O. Gostin, Editors; Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Institute of Medicine. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, D.C.: Institute of Medicine, The National Academies Press, 2009. http://www.nap.edu/catalog.php?record_id=12458

Other Stories in the News

Your Genes Aren’t Covered for That: One Year Later, Gaps in Genetic Discrimination Legislation Reveal the Challenges Ahead. Susannah Baruch, Science Progress. June 29, 2009.

FDA’s Current Ability to Regulate Genetic Testing Is Problematic, FDLI-AAAS Colloquium Attendees Say. Food and Drug Law Institute (FDLI) and the American Association for the Advancement of Science (AAAS) [Press Release]. June 22, 2009. http://www.fdli.org/press/pressrelease/062209.pdf

New Comparative Effectiveness Bill Enhances Dx, Genomics Focus. Matt Jones, GenomeWeb. June 18, 2009.

The GINA Law: Consumer Protection in a New Era of Genetic Testing Research Report. N. Lee Rucker, M.S.P.H., AARP Public Policy Institute, May 2009. http://www.aarp.org/research/health/prevention/fs156_gina.html

-- J.O.

No comments: