Consumer-mediated health information exchanges: the 2012 ACMI debate.

The American College of Medical Informatics (ACMI) sponsors periodic debates during the American Medical Informatics Fall Symposium to highlight important informatics issues of broad interest. In 2012, a panel debated the following topic: "Resolved: Health Information Exchange Organizations Should Shift Their Principal Focus to Consumer-Mediated Exchange in Order to Facilitate the Rapid Development of Effective, Scalable, and Sustainable Health Information Infrastructure." Those supporting the proposition emphasized the need for consumer-controlled community repositories of electronic health records (health record banks) to address privacy, stakeholder cooperation, scalability, and sustainability. Those opposing the proposition emphasized that the current healthcare environment is so complex that development of consumer control will take time and that even then, consumers may not be able to mediate their information effectively. While privately each discussant recognizes that there are many sides to this complex issue, each followed the debater's tradition of taking an extreme position in order emphasize some of the polarizing aspects in the short time allotted them. In preparing this summary, we sought to convey the substance and spirit of the debate in printed form. Transcripts of the actual debate were edited for clarity, and appropriate supporting citations were added for the further edification of the reader.

Privacy Risks of Sharing Data from Environmental Health Studies.

BACKGROUND: Sharing research data uses resources effectively; enables large, diverse data sets; and supports rigor and reproducibility. However, sharing such data increases privacy risks for participants who may be re-identified by linking study data to outside data sets. These risks have been investigated for genetic and medical records but rarely for environmental data. OBJECTIVES: We evaluated how data in environmental health (EH) studies may be vulnerable to linkage and we investigated, in a case study, whether environmental measurements could contribute to inferring latent categories (e.g., geographic location), which increases privacy risks. METHODS: We identified 12 prominent EH studies, reviewed the data types collected, and evaluated the availability of outside data sets that overlap with study data. With data from the Household Exposure Study in California and Massachusetts and the Green Housing Study in Boston, Massachusetts, and Cincinnati, Ohio, we used k-means clustering and principal component analysis to investigate whether participants' region of residence could be inferred from measurements of chemicals in household air and dust. RESULTS: All 12 studies included at least two of five data types that overlap with outside data sets: geographic location (9 studies), medical data (9 studies), occupation (10 studies), housing characteristics (10 studies), and genetic data (7 studies). In our cluster analysis, participants' region of residence could be inferred with 80%-98% accuracy using environmental measurements with original laboratory reporting limits. DISCUSSION: EH studies frequently include data that are vulnerable to linkage with voter lists, tax and real estate data, professional licensing lists, and ancestry websites, and exposure measurements may be used to identify subgroup membership, increasing likelihood of linkage. Thus, unsupervised sharing of EH research data potentially raises substantial privacy risks. Empirical research can help characterize risks and evaluate technical solutions. Our findings reinforce the need for legal and policy protections to shield participants from potential harms of re-identification from data sharing. https://doi.org/10.1289/EHP4817.

Re-identification Risks in HIPAA Safe Harbor Data: A study of data from one environmental health study.

Researchers are increasingly asked to share research data as part of publication and funding processes and to maximize the benefits of publicly funded research. The Safe Harbor provision of the U.S. Health Information Portability and Accountability Act (HIPAA) offers guidance to researchers by prescribing how to redact data for public sharing. For example, the provision requires removing explicit identifiers (such as name, address and other personally identifiable information), reporting dates in years, and reducing some or all digits of a postal (or ZIP) code. Is this sufficient? Can research participants still be re-identified in research data that adhere to the HIPAA Safe Harbor standard? In 2006, researchers collected air and dust samples and interviewed residents of 50 homes from Bolinas and Richmond (Atchison Village and Liberty Village), California, to analyze the residents' exposure to pollutants. The study, known as the Northern California Household Exposure Study [1], led to publications that have been cited hundreds of times. We conducted experiments with separate "attacker" and "scorer" teams to see whether we could identify study participants from two versions of the data redacted beyond the HIPAA standard, one in which all dates were reported in ranges of 10 or 20 years and another in which a study participant's birth year was reported exactly. The attackers were blinded to the names and addresses of the participants, and the scorers were blinded to the strategy.

Patient-centered management of complex patients can reduce costs without shortening life.

OBJECTIVE: To determine the effect of intensive patient-centered management (PCM) on service utilization and survival. STUDY DESIGN: Prospective cohort study of 756 patients in California who had a life-limiting diagnosis with multiple comorbid conditions (75% were oncology patients) and who were covered by a large commercial health maintenance organization from February 2003 through December 2004. METHODS: Group membership determined assignment to the PCM cohort versus the usual-management cohort after blindly screening for clinical complexity. Both cohorts accessed the same delivery system, utilization management practices, and benefits. Intervention was intensive PCM, involving education, home visits, frequent contact, and goal-oriented care plans. RESULTS: Roughly half (358) of the 756 patients received PCM. Fewer PCM oncology patients elected either chemotherapy or radiation (42% increase over usual-management oncology patients). PCM patients had reductions in inpatient diagnoses indicative of uncoordinated care: nausea (-44%), anemia (-33%), and dehydration (-17%). PCM patients had utilization reductions: -38% inpatient admissions (95% confidence interval [CI] = -37%, -38%), -36% inpatient hospital days (95% CI = -35%, -37%), and -30% emergency department visits (95% CI = -29%, -31%). PCM patients had utilization increases: 22% more home care days (95% CI = 20%, 23%) and 62% more hospice days (95% CI = 56%, 67%). Overall costs were reduced by 26% (95% CI = 25%, 27%). Patients' lives were not shortened (26% of PCM patients died vs 28% of patients who received usual management) (P = .80). CONCLUSION: Comprehensive PCM can sharply reduce utilization and costs over usual management without shortening life.

A secure protocol to distribute unlinkable health data.

Health data that appears anonymous, such as DNA records, can be re-identified to named patients via location visit patterns, or trails. This is a realistic privacy concern which continues to exist because data holders do not collaborate prior to making disclosures. In this paper, we present STRANON, a novel computational protocol that enables data holders to work together to determine records that can be disclosed and satisfy a formal privacy protection model. STRANON incorporates a secure encrypted environment, so no data holder reveals information until the trails of disclosed records are provably unlinkable. We evaluate STRANON on real-world datasets with known susceptibilities and demonstrate data holders can release significant quantities of data with zero trail re-identifiability.

How (not) to protect genomic data privacy in a distributed network: using trail re-identification to evaluate and design anonymity protection systems.

The increasing integration of patient-specific genomic data into clinical practice and research raises serious privacy concerns. Various systems have been proposed that protect privacy by removing or encrypting explicitly identifying information, such as name or social security number, into pseudonyms. Though these systems claim to protect identity from being disclosed, they lack formal proofs. In this paper, we study the erosion of privacy when genomic data, either pseudonymous or data believed to be anonymous, are released into a distributed healthcare environment. Several algorithms are introduced, collectively called RE-Identification of Data In Trails (REIDIT), which link genomic data to named individuals in publicly available records by leveraging unique features in patient-location visit patterns. Algorithmic proofs of re-identification are developed and we demonstrate, with experiments on real-world data, that susceptibility to re-identification is neither trivial nor the result of bizarre isolated occurrences. We propose that such techniques can be applied as system tests of privacy protection capabilities.