Thursday, December 06, 2012
Here Is Another Very Good Reason For Not Putting Sensitive Information In Your NEHRS / PCEHR
The following appeared a few days ago:
30 November, 2012 Julie Robotham
Patients and GPs are wary about the use of electronic health records for public health research, even if the data is de-identified, according to a UK study with implications for Australia’s development of the sector.
Fiona Stevenson from the Department of Primary Care and Population Health, at University College London, approached 800 patients from the two general practices chosen to evaluate an “opt out” system for patients whose medical and social security records otherwise could be linked though electronic identifiers and stored in a “safe haven”, for later de-identified use by researchers. Half of the patients she selected had opted out.
A spokeswoman for Australia’s Department of Health and Ageing said de-identified personally controlled electronic health record (PCEHR) data could be used for research. Next year the government would develop, “more detailed guidance about access to the PCEHR data for research purposes,” and would seek input from patients.
Full article here:
Then we read this from the US Government.
November 29, 2012 | By Dan Bowman
Neither the expert determination method nor the safe harbor method of de-identifying patient data are 100 percent effective, according to new guidance released this week by the U.S. Department of Health & Human Services' Office for Civil Rights. While both methods can lower the risk of re-identifying data to miniscule levels, neither are completely secure, OCR officials write.
"There is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds," the guidance says.
For the expert determination method, a person deemed an expert--a.k.a, someone "with appropriate knowledge of and experience with generally accepted statistical and scientific principles for rendering information not individually identifiable"--uses their expertise to measure the risk of re-identification for certain sets of data. In a blog post written this week by FierceHealthIT Advisory Board member David Harlow, Harlow says it's worth noting that OCR says that expert determinations should only be valid for a finite amount of time.
Here are the relevant links:
- here's the guidance (.pdf)
- read Harlow's blog post
All I can say is that it is up to you if you believe DoHA and NEHTA can do a better job than the experts in the US in the task of data de-identification. Me, I won’t take the risk, and will apply the ‘happy to see the information on the front page of the SMH or The Age’ test to the content I provide to these systems.
Posted by Dr David G More MB PhD at Thursday, December 06, 2012