The research paper titled “Risks to Patient Privacy: A Re-identification of Patients in Maine and Vermont Statewide Hospital Data,” reveals that patients’ personal records in hospitals can still be re-identified even when data identifiers such as names and addresses were removed to follow the HIPAA Safe Harbor de-identification guidelines.
The Health Insurance Portability and Accountability Act, otherwise known as HIPAA, provides privacy rules to protect patient data in hospitals as well as the data held by health insurance providers. However, a 2013 survey found cases of disclosed patient data in 33 out of 48 states. This was later followed by a study that re-identified 43 percent of individuals from Washington state by correctly matching their hospital data to local newspaper articles and anonymized hospital visit records.
To find out if the case was only unique to Washington state, and if other states were safe from data re-identification, this study tested the health data from Maine and Vermont using the same re-identification methods. Findings show that 28.3 percent of individuals in Maine and 34 percent of individuals in Vermont were successfully re-identified.
“Such findings suggest that patients’ personal information is vulnerable to re-identification even when hospital data is de-identified according to HIPAA Safe Harbor guidelines,” the authors of study concluded. “We call for more rigorous inquiry on the vulnerabilities that exist even when following HIPAA Safe Harbor as a standard for de-identification.”
Re-identified patient data is important because it reveals sensitive information that can be misused without the patient’s consent. The study suggests all states to improve de-identification practices and guarantee patient data protection.
The paper was authored by Ji Su Yoo, research analyst at the Institute for Quantitative Social Science; Alexandra Thaler ’19; Latanya Sweeney, professor of Government and Technology in Residence; and Jinyan Zang, Ph.D. candidate in government.