From Health IT Analytics:
Adequately de-identifying healthcare data is critical for health systems, payers, and other stakeholders to ensure HIPAA compliance. However, the advent of newer technologies, such as artificial intelligence (AI) and connected devices, has created questions about ensuring patient privacy while enabling data sharing and access to improve care and drive medical breakthroughs.
At its most basic, de-identification refers to the principle of being unable to re-identify a person based on the information in their medical record, which often involves removing or hiding information such as the individual’s name, date of birth, gender, or address.
Beyond this basic level of de-identification to obscure explicitly personal information, healthcare stakeholders need to be aware of additional information and levels of identifiability to protect patient information.
Many people misunderstand de-identification. Certainly, the patient’s name and other unique identifiers should be removed. But there is also identification inherent in the pattern of care, the diagnosis, prescriptions, and other characteristics which can be used to re-identify specific patients, especially when there is a known dataset.
“In other words, there are additional safeguards and controls that go beyond the mere extraction of personally identifiable information,” [Suraj Kapa, MD] said. “So fine, you eliminate the medical record number, you eliminate the name, you eliminate the address, you eliminate all this other stuff from individual records. However, say you’re running a large analytic function across, say, the US, on patients with a specific type of cancer and trying to understand what we call social determinants of health.”