EHIP

Paul Ohm recently put out an article where he makes the dramatic claim that de-identification has failed (see http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006). I have heard that argument before and the argument’s primary weakness is amplified in this article – therefore I feel compelled to comment.

Paul Ohm’s argument about the failure of anonymization is based on evidence that does not actually support his point. Therefore, his overall argument about de-identification is very questionable. Below I will explain why.

The key point is that existing re-identifications successes demonstrate the de-identification does not work. This, of course, assumes that the datasets that were re-identified was properly anonymized – it was not. One example that Ohm uses to make his case is the insurance database released in Massachusetts more than a decade ago (pre-HIPAA). That database was not properly anonymized and no professional working in this field would say that that was a properly anonymized database. The Group Insurance Commission did a lousy job. The second example is AOL – which again is an example of a database that was not properly anonymized. AOL did a lousy job in anonymizing their database. In fact the examples he cites were cases where the custodian did not use existing re-identification risk measurement techniques and did not use de-identification techniques that are available in the literature. We know how to de-identify datasets properly (up to a pre-specified threshold) and in none of those examples was this done. There is no example of a database that has been properly de-identified being re-identified.

So I want to make a distinction between lousy practice and good practice. Being a software engineer in a previous life, I will use a software example. There are different levels of maturity in software development: lousy and good. We measure project risk using a maturity scale. If I see a couple of software projects that produce buggy software and do not deliver on time, I would not conclude that all software development is lousy and therefore software engineering is dead and should be abandoned – which is what Ohm’s reasoning would lead me to. It just happened that I selected a couple of low maturity projects, and if I had selected high maturity projects I would have a very different picture.

Ohm has taken examples of poorly de-identified datasets that were re-identified  and drew broad conclusions from those. A truly sophisticated custodian would measure the risk of re-identification (see http://www.jamia.org/cgi/content/abstract/15/5/627 and the references therein for examples), and if it is too high then the custodian would use a contemporary de-identification technique to de-identify the data (see http://www.jamia.org/cgi/content/abstract/M3144v1 and the references therein for examples).

If a custodian discloses a dataset that has proper identity and attribute disclosure control (ie, the risk of re-identification is below a threshold), and an intruder demonstrates that the risk of re-identification is higher than the threshold, then there should be concern. This article does not demonstrate that at all. However, a valid conclusion from the article would be that if you do lousy de-identification then the data is easy to re-identify.

Therefore, extreme caution is advised here.

Greater adoption of electronic health records and health information exchanges could be as transformative for the U.S. health care system as online financial transactions have been for the commercial marketplace and online social networking sites have been for human interaction.

But health data are highly personal and have a level of individual sensitivity for which there are few, if any, parallels. Increasing access to this data greatly increases the privacy risks. 

Some non-treatment uses of health data—including quality, research and public health—can be done with data where sufficient patient identifiers have been removed to make it anonymous to the recipient.

However, it is difficult to require or encourage the use of data stripped of identifiers when the law provides few options for data "anonymization." The Privacy Rule in HIPAA provides for two types of anonymized data:  de-identified data and the limited data set.

Qualified statisticians can certify that data meet this standard, or health entities can use the "safe harbor" method, which requires the removal of 18 specific categories of data.

A limited data set is stripped of many categories of identifiers but information often needed for research and public health purposes (such as birth dates, dates of treatment and some geographic data) is retained. 

Further, de-identification and the limited data set are not as protective as they once were, and this is particularly true for the limited data set and de-identification using the "safe harbor" method, where specific categories of data must be removed.

Our health care system needs to be more data-driven than it is today, and using this data in less identifiable form greatly reduces the risk to privacy.

However, this is only the case if our standards for de-identification and anonymization are stringent and evolve as public access to data in general increases, and we have sufficient protections against re-identification.

Automated summary from: iHealth Beat

A Seattle man was sentenced to more than three years in prison Tuesday for using the Limewire file-sharing service to lift personal information from computers across the U.S.

The man, Frederick Wood, typed words like "tax return" and "account" into the Limewire search box, said Kathryn Warma, assistant U.S. attorney in the Computer Hacking and Internet Crimes Unit of the U.S. Attorney's Office. That allowed him to find and access computers on the Limewire network with shared folders that contained tax returns and bank account information.

Wood also searched specifically for forms that parents fill out to apply for college financial aid for their children, which include "exhaustive personal and financial information about the family," Warma said.

Warma's advice to people who want to avoid becoming victims of this kind of identity theft was to "get Limewire off your computers." Even the added security features in the most recent version can be circumvented, she said.

Automated summary from: PCWorld

A Boston University graduate student was ordered yesterday to pay four record labels a total of $675,000 in damages for illegally downloading 30 songs and sharing them online in only the second such lawsuit to go to trial.

The verdict was reached the day after Tenenbaum, a 25-year-old doctoral student in physics, unapologetically admitted from the witness stand that he had illegally downloaded and shared hundreds of songs from 1999 to at least 2007 through peer-to-peer networks.

As a result of his admission, US District Judge Nancy Gertner ruled Thursday night that Tenenbaum had conceded liability, and she directed the jury to consider only how much he should pay in damages.

Tenenbaum's attorney, Harvard Law professor Charles Nesson, who told jurors his client is part of a generation that thinks nothing about downloading music for free, said he will appeal.

“It was not a fair verdict because the jury never got to hear the fairness issue,’’ he said. He was referring to Gertner's ruling before jury selection that the defense could not argue that Tenenbaum had the right to download and share songs under the fair use doctrine of copyright law.

In the only other downloading lawsuit to go to trial, a federal jury in Minnesota in June ordered a woman in that state to pay record labels $1.92 million for infringing on the copyrights of 24 songs.

Automated summary from: The Boston Globe

Getting doctors and hospitals to electronically collect, store and share your patient health records has been one of the great hurdles of the decade.

Now the health care community is getting on board, thanks in no small part to financial incentives that will be provided by taxpayers. However, building a nationwide system that helps health care providers access patients' records when the patients arrive for care is proving to be a more difficult challenge.

Congress gave a big push to adopting electronic health records (EHRs) this year by including $45 billion in incentive payments to doctors and hospitals in the economic stimulus law.

However, a critical piece might be missing: So far, there is no fully functioning national information exchange system that can securely collect and share patient medical data and then deliver the data when it's needed.

Most likely, the Nationwide Health Information Network will be assigned that role. Although the NHIN, which the Health and Human Services Department developed, has shown that health data exchanges can work, health officials say it is not ready for a broad and central role for health data sharing.

Also, NHIN's existing design might not be the answer. Some experts say there is an urgent need to retool the entire NHIN architecture.

Concerns about competition, innovation and overall health care reform are unresolved issues that also affect the viability of health information exchange as currently conceived.

Overall, there is hope that the NHIN technology will evolve quickly to fulfill the needs for health information exchange, but there also is caution about chugging forward without a deliberate and conscious effort at redesign. But the pressure to complete the system is intensifying, and observers agree that some part of the vision might be sacrificed.

Automated summary from: Federal Computer Week

Dr. David Sundwall, a registered physician in Utah who is serving as a camp doctor in Maine, called in a prescription to a Vermont pharmacy on Friday for a patient across Lake Champlain in New York.

That's the promise of an electronic records system, he said at a meeting of the State Alliance for e-Health, a group co-chaired by Vermont Gov. Jim Douglas and Tennessee Gov. Phil Bredesen, that is working to help states adopt information technology in health care as part of the American Recovery and Reinvestment Act.

"If we're going to transform health care in America, improve quality and reduce costs we have to use information technology to the fullest extent possible," said Douglas, the new National Governors Association chairman.

But much of the progress can be made only after the federal government puts in place the certification of standards for IT systems, gets grants out to the states for training and designs a national health IT network, Douglas said.

“I really believe that information technology is going to make a difference: It's going to reduce costs; it's going improve the quality of care; it's going to reduce errors; it's going to reduce unnecessary care. That's what we're trying to accomplish: not just to automate things, but to improve health outcomes for the people of our state."

Automated summary from: Business Week

MORE than 10 years after she tried without success to have a baby, Marcy Campbell Krinsk is still receiving painful reminders in her mail.

Marketers got hold of her name, and she found coupons and samples in her mail that shadowed the growth of an imaginary child—at first, for Pampers and baby formula, then for discounts on family photos, and all the way through the years to gifts suitable for an elementary school graduate.

Krinsk thought that her prescription information was private. But in fact, prescriptions, and all the information on them—including not only the name and dosage of the drug and the name and address of the doctor, but also the patient's address and Social Security number—are a commodity bought and sold in a murky marketplace, often without the patients' knowledge or permission.

That may change if some little-noted protections from the Obama administration are strictly enforced. The federal stimulus law enacted in February prohibits in most cases the sale of personal health information, with a few exceptions for research and public health measures like tracking flu epidemics. It also tightens rules for telling patients when hackers or health care workers have stolen their Social Security numbers or medical information, as happened to Britney Spears, Maria Shriver and Farrah Fawcett before she died in June.

The law won't shut down the medical data mining industry, but there will be more restrictions on using private information without patients' consent and penalties for civil violations will be increased.

Selling data to drug manufacturers is still allowed, if patients’ names are removed. But the stimulus law tightens one of the biggest loopholes in the old privacy rules. Pharmacy companies like Walgreens have been able to accept payments from drug makers to mail advice and reminders to customers to take their medications, without obtaining permission. Under the new law, the subsidized marketing is still permitted but it can no longer promote drugs other than those the customer already buys.

Automated summary from: The New York Times

Through the Internet, we're reshaping the ways we do business, communicate and represent ourselves to the world. The good news is, we can embrace these changes without surrendering our privacy.

Privacy protection can and ought to be at the heart of innovative tools -- not only as a matter of legal compliance, but also as a principle of product design.

Privacy is best protected by good product design. In fact, Canada has a well-functioning private-sector privacy regime. Internet companies, just like their brick-and-mortar brethren, are legally accountable for the ways they collect, use and disclose personal information.

Google's approach is to build products that harness the power of the Internet while protecting privacy for the benefit of hundreds of millions of people worldwide, including tens of millions of Canadians. That's why we have built facial and license-plate blurring into Google Street View and why we make it easy for Canadians to request that we remove any image containing themselves, their kids, their cars or their homes -- even if the image is already blurred.

Of course, to make sensible choices people must have products that let them make such choices. Innovators should therefore develop applications in which privacy is built in from the start, so that Canadians can control the parts of themselves they reveal to the world.

Automated summary from: National Post

On Wednesday, August 5, EFF Civil Liberties Director Jennifer Granick put out a call for new technology.

"We need technology. Citizens need technology to protect themselves because the law is not doing it," she said in an address to privacy experts at the Privacy Enhancing Technologies Symposium held at the University of Washington in Seattle.

Perhaps the most worrisome issue she described is the use by law enforcement of GPS tracking technologies. GPS radios have become so cheap and small that agents are using blow darts to attach them to cars, she said.

"There's no statute that controls [GPS monitoring], so if the Fourth Amendment doesn't protect you, you're out of luck," she said. The Fourth Amendment, which protects people in the U.S. from unreasonable search and seizure, will only protect people from GPS tracking in their homes.

Until new laws are set to deal with modern developments, technology can help, she said. "We civil libertarians are doing what we can to make the law better, but we have a really long way to go. We have huge gaps and we need technology to fill that void. We need good, secure technology that works but is simple enough for normal people to use," Granick said.

Automated summary from: PCWorld

Fraudsters, identity thieves, stalkers and vengeance-seekers are using the Internet to solicit, track and prey on victims, often by taking advantage of the vast amount of personal information available online. While such information is a gold mine for imposters and stalkers, its collection, use and trading by non-criminals can be equally damaging for the individuals whose personal information is at issue.

Canada has a reasonably good set of data-protection laws. However, at least one study has shown that there is widespread non-compliance with Canadian privacy laws, especially in the commercial sector.

This is not surprising given that the costs of non-compliance are minimal.

Privacy laws should apply to non-commercial as well as commercial activities. They should prohibit collection and use of kids' data, other than in exceptional cases. They should require meaningful consent, not just an easily overlooked opt-out check box. And we should be able to hold others accountable under privacy laws without undue effort and cost -- it's time to put some teeth into our privacy laws.

Automated summary from: National Post