Re: Privacy laws
De-identifying health care data isn't difficult. The HIPAA Privacy Rule describes two de-identification approaches, Expert Determination and Safe Harbor. Every de-identification project I've worked on used the Safe Harbor method described in section 164.514(b)(2) of the Privacy Rule. This method prescribes the removal of 18 types of identifiers like name, address, birth date, etc.
De-identified health care data can only be re-identified if a link between the original and de-identified data is maintained and available when trying to reverse the process. I have never worked on a data de-identification project that maintained a link between the original and data. This was always a conscious decision on our part. Maintaining such a link is a major security risk, and there wasn't a valid use case that would've justified taking the risk. No such use case exists in my opinion.
Health care data de-identification should be a one-way process. I hope the persons responsible for de-identifying this latest data set followed the Safe Harbor guidelines and did not make the process reversible.
Thomas C. Mueller, MBA, CDMP, CHPA
Director of Technical Delivery
Forward Health Group, Inc.