http://techliberation.com/2009/05/28/de-identified-sometimes-you-can-disagree-with-yourself/ Keeping politicians' hands off the Net & everything else related to technology Tue, 14 Feb 2012 19:26:00 +0000 hourly 1 http://wordpress.org/?v=3.2.1 http://techliberation.com/2009/05/28/de-identified-sometimes-you-can-disagree-with-yourself/comment-page-1/#comment-65082 Deven McGraw Thu, 04 Jun 2009 02:08:43 +0000 http://techliberation.com/?p=18518#comment-65082 <p>Thanks for the opportunity to explain in more detail what some have identified as conflicting (or should I say schizophrenic) statements from the Center for Democracy & Technology (CDT) about the privacy risks posed by “de-identified” data. (When we say "de-identified," we’re talking about data that is considered de-identified per the HIPAA standard.) The perceived disconnect in our rhetoric illustrates the challenges of advocating on this issue before different audiences. The challenge is especially pronounced when, as here, one context is adversarial and tends to favor positions that are strong and straightforward, while the other context is deliberative and has greater tolerance for nuance.<br><br>CDT used stronger language in the legal brief primarily because we were in a litigation posture. Our goal was to clearly refute the notion that de-identified data (de-identified per the HIPAA standard) poses the same privacy risks to individuals as fully identified data. This was a position espoused by a number of the legislators who supported the New Hampshire statute (and hence it was part of the legislative history). The brief actually does note that there is a risk to patient privacy in the form of re-identifying patients using HIPAA de-identified data. The brief also states that HIPAA protections could be enhanced, including by strengthening prohibitions against re-identification of de-identified data. But you are correct, the quote you pulled out of our brief dwarfs these other qualifying statements.<br><br>Equating HIPAA de-identified data with fully identifiable data significantly undermines our ability to advocate that most (or at least more) secondary uses of data be undertaken with either de-identified (or lesser identified) data that is sufficiently protected against re-identification. Using data in “less identified” form (while protecting it against re-identification) minimizes the risk to individual privacy while allowing data to be accessed for activities that can improve health care and contribute to the public good.<br><br>The more nuanced position we took in our comments to HHS raised concerns about de-identified data being exempt from breach notification requirements. Here, the lack of strong protections against re-identification is the issue – and the exemption for de-identified data means that patients won’t be notified even if the data is subsequently re-identified. The “safe harbor” method, which is the one most commonly used to de-identify, is more than five years old, and the world has changed dramatically since that time (particularly with respect to the availability of data). “Safe harbor” needs a thorough review, so we asked for and supported the provision in HITECH that requires HHS to study this standard. This more nuanced position is also reflected in a white paper on de-identification we will publish later this month. <br><br>So yes, this is a difficult issue. The study by HHS gives us an opportunity to engage in a public dialogue about ways to best resolve it. We hope it will be a vigorous and productive debate.</p> Thanks for the opportunity to explain in more detail what some have identified as conflicting (or should I say schizophrenic) statements from the Center for Democracy & Technology (CDT) about the privacy risks posed by “de-identified” data. (When we say “de-identified,” we’re talking about data that is considered de-identified per the HIPAA standard.) The perceived disconnect in our rhetoric illustrates the challenges of advocating on this issue before different audiences. The challenge is especially pronounced when, as here, one context is adversarial and tends to favor positions that are strong and straightforward, while the other context is deliberative and has greater tolerance for nuance.

CDT used stronger language in the legal brief primarily because we were in a litigation posture. Our goal was to clearly refute the notion that de-identified data (de-identified per the HIPAA standard) poses the same privacy risks to individuals as fully identified data. This was a position espoused by a number of the legislators who supported the New Hampshire statute (and hence it was part of the legislative history). The brief actually does note that there is a risk to patient privacy in the form of re-identifying patients using HIPAA de-identified data. The brief also states that HIPAA protections could be enhanced, including by strengthening prohibitions against re-identification of de-identified data. But you are correct, the quote you pulled out of our brief dwarfs these other qualifying statements.

Equating HIPAA de-identified data with fully identifiable data significantly undermines our ability to advocate that most (or at least more) secondary uses of data be undertaken with either de-identified (or lesser identified) data that is sufficiently protected against re-identification. Using data in “less identified” form (while protecting it against re-identification) minimizes the risk to individual privacy while allowing data to be accessed for activities that can improve health care and contribute to the public good.

The more nuanced position we took in our comments to HHS raised concerns about de-identified data being exempt from breach notification requirements. Here, the lack of strong protections against re-identification is the issue – and the exemption for de-identified data means that patients won’t be notified even if the data is subsequently re-identified. The “safe harbor” method, which is the one most commonly used to de-identify, is more than five years old, and the world has changed dramatically since that time (particularly with respect to the availability of data). “Safe harbor” needs a thorough review, so we asked for and supported the provision in HITECH that requires HHS to study this standard. This more nuanced position is also reflected in a white paper on de-identification we will publish later this month.

So yes, this is a difficult issue. The study by HHS gives us an opportunity to engage in a public dialogue about ways to best resolve it. We hope it will be a vigorous and productive debate.

]]> http://techliberation.com/2009/05/28/de-identified-sometimes-you-can-disagree-with-yourself/comment-page-1/#comment-61952 Deven McGraw Wed, 03 Jun 2009 22:08:43 +0000 http://techliberation.com/?p=18518#comment-61952 <p>Thanks for the opportunity to explain in more detail what some have identified as conflicting (or should I say schizophrenic) statements from the Center for Democracy & Technology (CDT) about the privacy risks posed by “de-identified” data. (When we say "de-identified," we’re talking about data that is considered de-identified per the HIPAA standard.) The perceived disconnect in our rhetoric illustrates the challenges of advocating on this issue before different audiences. The challenge is especially pronounced when, as here, one context is adversarial and tends to favor positions that are strong and straightforward, while the other context is deliberative and has greater tolerance for nuance.<br><br>CDT used stronger language in the legal brief primarily because we were in a litigation posture. Our goal was to clearly refute the notion that de-identified data (de-identified per the HIPAA standard) poses the same privacy risks to individuals as fully identified data. This was a position espoused by a number of the legislators who supported the New Hampshire statute (and hence it was part of the legislative history). The brief actually does note that there is a risk to patient privacy in the form of re-identifying patients using HIPAA de-identified data. The brief also states that HIPAA protections could be enhanced, including by strengthening prohibitions against re-identification of de-identified data. But you are correct, the quote you pulled out of our brief dwarfs these other qualifying statements.<br><br>Equating HIPAA de-identified data with fully identifiable data significantly undermines our ability to advocate that most (or at least more) secondary uses of data be undertaken with either de-identified (or lesser identified) data that is sufficiently protected against re-identification. Using data in “less identified” form (while protecting it against re-identification) minimizes the risk to individual privacy while allowing data to be accessed for activities that can improve health care and contribute to the public good.<br><br>The more nuanced position we took in our comments to HHS raised concerns about de-identified data being exempt from breach notification requirements. Here, the lack of strong protections against re-identification is the issue – and the exemption for de-identified data means that patients won’t be notified even if the data is subsequently re-identified. The “safe harbor” method, which is the one most commonly used to de-identify, is more than five years old, and the world has changed dramatically since that time (particularly with respect to the availability of data). “Safe harbor” needs a thorough review, so we asked for and supported the provision in HITECH that requires HHS to study this standard. This more nuanced position is also reflected in a white paper on de-identification we will publish later this month. <br><br>So yes, this is a difficult issue. The study by HHS gives us an opportunity to engage in a public dialogue about ways to best resolve it. We hope it will be a vigorous and productive debate.</p> Thanks for the opportunity to explain in more detail what some have identified as conflicting (or should I say schizophrenic) statements from the Center for Democracy & Technology (CDT) about the privacy risks posed by “de-identified” data. (When we say “de-identified,” we’re talking about data that is considered de-identified per the HIPAA standard.) The perceived disconnect in our rhetoric illustrates the challenges of advocating on this issue before different audiences. The challenge is especially pronounced when, as here, one context is adversarial and tends to favor positions that are strong and straightforward, while the other context is deliberative and has greater tolerance for nuance.

CDT used stronger language in the legal brief primarily because we were in a litigation posture. Our goal was to clearly refute the notion that de-identified data (de-identified per the HIPAA standard) poses the same privacy risks to individuals as fully identified data. This was a position espoused by a number of the legislators who supported the New Hampshire statute (and hence it was part of the legislative history). The brief actually does note that there is a risk to patient privacy in the form of re-identifying patients using HIPAA de-identified data. The brief also states that HIPAA protections could be enhanced, including by strengthening prohibitions against re-identification of de-identified data. But you are correct, the quote you pulled out of our brief dwarfs these other qualifying statements.

Equating HIPAA de-identified data with fully identifiable data significantly undermines our ability to advocate that most (or at least more) secondary uses of data be undertaken with either de-identified (or lesser identified) data that is sufficiently protected against re-identification. Using data in “less identified” form (while protecting it against re-identification) minimizes the risk to individual privacy while allowing data to be accessed for activities that can improve health care and contribute to the public good.

The more nuanced position we took in our comments to HHS raised concerns about de-identified data being exempt from breach notification requirements. Here, the lack of strong protections against re-identification is the issue – and the exemption for de-identified data means that patients won’t be notified even if the data is subsequently re-identified. The “safe harbor” method, which is the one most commonly used to de-identify, is more than five years old, and the world has changed dramatically since that time (particularly with respect to the availability of data). “Safe harbor” needs a thorough review, so we asked for and supported the provision in HITECH that requires HHS to study this standard. This more nuanced position is also reflected in a white paper on de-identification we will publish later this month.

So yes, this is a difficult issue. The study by HHS gives us an opportunity to engage in a public dialogue about ways to best resolve it. We hope it will be a vigorous and productive debate.

]]> http://techliberation.com/2009/05/28/de-identified-sometimes-you-can-disagree-with-yourself/comment-page-1/#comment-59533 Deven McGraw Wed, 03 Jun 2009 21:08:43 +0000 http://techliberation.com/?p=18518#comment-59533 <p>Thanks for the opportunity to explain in more detail what some have identified as conflicting (or should I say schizophrenic) statements from the Center for Democracy & Technology (CDT) about the privacy risks posed by “de-identified” data. (When we say "de-identified," we’re talking about data that is considered de-identified per the HIPAA standard.) The perceived disconnect in our rhetoric illustrates the challenges of advocating on this issue before different audiences. The challenge is especially pronounced when, as here, one context is adversarial and tends to favor positions that are strong and straightforward, while the other context is deliberative and has greater tolerance for nuance.<br><br>CDT used stronger language in the legal brief primarily because we were in a litigation posture. Our goal was to clearly refute the notion that de-identified data (de-identified per the HIPAA standard) poses the same privacy risks to individuals as fully identified data. This was a position espoused by a number of the legislators who supported the New Hampshire statute (and hence it was part of the legislative history). The brief actually does note that there is a risk to patient privacy in the form of re-identifying patients using HIPAA de-identified data. The brief also states that HIPAA protections could be enhanced, including by strengthening prohibitions against re-identification of de-identified data. But you are correct, the quote you pulled out of our brief dwarfs these other qualifying statements.<br><br>Equating HIPAA de-identified data with fully identifiable data significantly undermines our ability to advocate that most (or at least more) secondary uses of data be undertaken with either de-identified (or lesser identified) data that is sufficiently protected against re-identification. Using data in “less identified” form (while protecting it against re-identification) minimizes the risk to individual privacy while allowing data to be accessed for activities that can improve health care and contribute to the public good.<br><br>The more nuanced position we took in our comments to HHS raised concerns about de-identified data being exempt from breach notification requirements. Here, the lack of strong protections against re-identification is the issue – and the exemption for de-identified data means that patients won’t be notified even if the data is subsequently re-identified. The “safe harbor” method, which is the one most commonly used to de-identify, is more than five years old, and the world has changed dramatically since that time (particularly with respect to the availability of data). “Safe harbor” needs a thorough review, so we asked for and supported the provision in HITECH that requires HHS to study this standard. This more nuanced position is also reflected in a white paper on de-identification we will publish later this month. <br><br>So yes, this is a difficult issue. The study by HHS gives us an opportunity to engage in a public dialogue about ways to best resolve it. We hope it will be a vigorous and productive debate.</p> Thanks for the opportunity to explain in more detail what some have identified as conflicting (or should I say schizophrenic) statements from the Center for Democracy & Technology (CDT) about the privacy risks posed by “de-identified” data. (When we say “de-identified,” we’re talking about data that is considered de-identified per the HIPAA standard.) The perceived disconnect in our rhetoric illustrates the challenges of advocating on this issue before different audiences. The challenge is especially pronounced when, as here, one context is adversarial and tends to favor positions that are strong and straightforward, while the other context is deliberative and has greater tolerance for nuance.

CDT used stronger language in the legal brief primarily because we were in a litigation posture. Our goal was to clearly refute the notion that de-identified data (de-identified per the HIPAA standard) poses the same privacy risks to individuals as fully identified data. This was a position espoused by a number of the legislators who supported the New Hampshire statute (and hence it was part of the legislative history). The brief actually does note that there is a risk to patient privacy in the form of re-identifying patients using HIPAA de-identified data. The brief also states that HIPAA protections could be enhanced, including by strengthening prohibitions against re-identification of de-identified data. But you are correct, the quote you pulled out of our brief dwarfs these other qualifying statements.

Equating HIPAA de-identified data with fully identifiable data significantly undermines our ability to advocate that most (or at least more) secondary uses of data be undertaken with either de-identified (or lesser identified) data that is sufficiently protected against re-identification. Using data in “less identified” form (while protecting it against re-identification) minimizes the risk to individual privacy while allowing data to be accessed for activities that can improve health care and contribute to the public good.

The more nuanced position we took in our comments to HHS raised concerns about de-identified data being exempt from breach notification requirements. Here, the lack of strong protections against re-identification is the issue – and the exemption for de-identified data means that patients won’t be notified even if the data is subsequently re-identified. The “safe harbor” method, which is the one most commonly used to de-identify, is more than five years old, and the world has changed dramatically since that time (particularly with respect to the availability of data). “Safe harbor” needs a thorough review, so we asked for and supported the provision in HITECH that requires HHS to study this standard. This more nuanced position is also reflected in a white paper on de-identification we will publish later this month.

So yes, this is a difficult issue. The study by HHS gives us an opportunity to engage in a public dialogue about ways to best resolve it. We hope it will be a vigorous and productive debate.

]]> http://techliberation.com/2009/05/28/de-identified-sometimes-you-can-disagree-with-yourself/comment-page-1/#comment-59460 What Is “De-Identified”? | Think Tank West Thu, 28 May 2009 17:53:40 +0000 http://techliberation.com/?p=18518#comment-59460 <p>[...] a post at the TechLiberationFront blog, I discuss the fluidity of important concepts in information policy — and catch a friendly [...]</p> [...] a post at the TechLiberationFront blog, I discuss the fluidity of important concepts in information policy — and catch a friendly [...]

]]>