September 28, 2018: Assessing and Reducing Risk of Re-identification When Sharing Sensitive Research Datasets (Greg Simon, MD, MPH, Deven McGraw, JD, MPH, Khaled El Emam, PhD)

Posted on by Gina Uhlenbrauck

Speakers

Gregory Simon MD, MPH
Investigator, Kaiser Permanente Washington Health Research Institute

Deven McGraw, JD, MPH, LLM
General Counsel & Chief Regulatory Officer, Ciitizen

Khaled El Emam, PhD
Department of Pediatrics, University of Ottawa
Children’s Hospital of Eastern Ontario Research Institute

Topic

Assessing and Reducing Risk of Re-identification When Sharing Sensitive Research Datasets

Keywords

Clinical trials; Research ethics; Data security; Data sharing; Sensitive research data; De-identified data

Key Points

  • The cycle of risk de-identification involves setting a risk threshold, measuring the risk, evaluating the risk, and applying transformations to reduce the risk.
  • The Safe Harbor method of de-identification (removal of 18 categories of data) is a legal minimum standard that does not take context into account, and may not be sufficient when sharing sensitive data publicly.
  • A higher standard for de-identification is the “Expert Determination” method, whereby an expert with contextual knowledge of the broader data ecosystem can determine whether the risk is “not greater than very small.”
  • With increasing concern about the risks of sensitive data sharing, it is important to be transparent with data participants and continue to build trust for data uses.

Discussion Themes

When is a dataset safe for sharing? What is the risk of re-identification, and how can we reduce the risk? Consider who you are releasing the data to and what other kinds of data might they have access to that could potentially lead to re-identification.

For more information on the de-identification of protected health information, visit the U.S. Department of Health and Human Services’s Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The Health Information Trust Alliance de-identification framework identifies 12 criteria for a successful de-identification program and methodology.

Tags

#pctGR, #PragmaticTrials, #HealthData, @HealthPrivacy @Collaboratory1, @PCTGrandRounds