Posting 'anonymized' research data may pose threats to patient privacy

Even with "anonymized" data, there's a substantial risk that an attacker could identify an individual patient's health records from publicly posted databases -- a threat that cannot always be prevented by current protective measures. The review was co-authored by healthcare management expert Liam O'Neill, PhD, of University of North Texas-Health Science Center; anesthesiologist Franklin Dexter, MD, PhD, of University of Iowa: and computer scientist Nan Zhang, PhD, of George Washington University.

Patient Data Potentially at Risk in 'De-Identified' Databases

Open sharing of healthcare databases is viewed as a means of ensuring research integrity, enabling other researchers to independently validate the findings. Before posting online, the research data are "de-identified" to remove identifiable information.

But in recent years, it has become clear even anonymized data can put patient privacy at risk. The authors are especially concerned about the risks of posting data from small studies or series of patients from a few hospitals -- a type of data commonly used for research in anesthesiology and surgery.

Knowing even a few pieces of information may enable an "adversary" to identify individual patients. In one example, researchers showed that by matching voter registration data to a de-identified healthcare database, it was possible to "re-identify" the health records of a public figure.

"For anesthesia studies, the variables most likely to result in identification of individuals are the combination of hospital and surgical procedures," Dr. O'Neill and coauthors write. Especially for less commonly performed procedures, matching the data to a specific individual would be relatively easy.

The article discusses the methods of attack used by adversaries and the current defense methods -- each of which has its limitations. Simply complying with the HIPAA's "Safe Harbor" privacy rules does not protect against all attacks. "While the methods available to those who would undermine privacy have undergone rapid development, the methods of 'defense' have not achieved similar breakthroughs," according to the authors.

In a case study, they evaluated the "population uniqueness" of patients in a Texas surgical database, which included more than 2.8 million records. While the uniqueness of records was low for most patients, Dr. O'Neill and colleagues write, "An adversary would have about a 42.8 percent chance of linking the anesthesia record to the hospital database, and thereby discovering the patient's sensitive information." While this risk is unacceptably high, it would be even higher using data from less-populous states.

The safeguards adopted in fields such as economics and business may not be sufficient for healthcare journals, the authors suggest. Drs. O'Neill, Dexter, and Zhang propose policies that journals in anesthesia and other medical specialties could adopt to help reduce threats to patient privacy. For example, data could be maintained in a specified format, to be supplied to qualified researchers on request to the journal editor.

Dr. Steven L. Shafer of Stanford University, Editor-in-Chief of Anesthesia & Analgesia, believes the new paper will have profound implications for digital sharing of patient data, "For my entire term as Editor, I have pushed authors to share data, under the assumption that anonymized data could be safely shared," he comments. "Our authors show that this is not the case.

"For the editors of major medical journals, this article will quickly ice their plans to promote scientific exchange of data," Dr. Shafer adds. "I don't like what this paper demonstrates, but it is better to know an uncomfortable truth than to remain ignorant."