[Med-privacy] My new title as "Re-identification Goddess"

[latanya@privacy.cs.cmu.edu]

Two of the latest email subject lines on HIPAA related
email lists:

"Hail Latanya Sweeney, Re-identification Goddess"
"Judge Rules Latanya Sweeney as Threat to Privacy"

This commotion stems from the latest Illinois appeals
court ruling in which the only issue before the court
concerned whether 'the fact that Latanya Sweeney could
re-identify the medical information was sufficient=20
grounds not to release the data for privacy concerns.' =20
The court sealed the report on the technique used
by Dr. Sweeney and allowed the data to be shared,=20
notwithstanding the ability to re-identify the patients. =20
The ruling  is expected to be appealed to the state=20
Supreme Court.=20


Below is an article related to the finding.
The case is found at http://www.state.il.us/court/
Opinions/AppellateCourt/2004/5thDistrict/June/
Html/5020836.htm
The March 28, 2001 case is found at http://


www.state.il.us/court/Opinions/AppellateCourt/2001/
5thDistrict/March/Html/5990568.htm

----------------


Illinois Court Decision Roils De-Identification Efforts
Health Information Privacy Alert=20
HIPALERT June 2004 =95 Vol. 8 #6, page 1
(Reprinted with Permission)


The fact that an expert can re-identify patient data
that has been de-identified is not enough to prohibit the
release of state disease registry records, an Illinois appeals
court ruled June 9. The case raises new questions
over what steps healthcare entities and government agencies
should take to protect patient identities and what
steps are considered reasonable in de-identifying data
under the HIPAA privacy rule.
Moreover, the decision may provoke new concerns
over patient privacy as the healthcare industry moves
toward electronic healthcare records in the wake of the
federal government=92s new commitment in this area.
At issue in The Southern Illinoisan v. The Department
Of Public Health (Case # 5-02-0836) is whether
patient privacy is reasonably protected when the patients
named in the records can be identified with difficulty.
Judge William Schwartz, ruled that although an expert
demonstrated that she could re-identify the patients,
the knowledge and expertise required to do it was so
specialized and unique that it was unreasonable to allow
the state health department to withhold the information.
At the same time, the methodology used by the expert,
Dr. Latanya Sweeney, who directs the Laboratory
for International Data Privacy at Carnegie Mellon University,
was sealed by a lower court; the appeals court
judge declined to reveal the process as well.
The appeals court reaffirmed its 2001 decision and
upheld the lower court=92s conclusion =93that the knowledge
acquired by Dr. Sweeney during her education and in
her professional career provided her with a unique, although
not exclusive, foundation upon which she drew
in conducting her data analysis.=94
The Southern Illinoisan sought copies of documents
from the Illinois Cancer Registry which listed the type
of cancer, date of diagnosis, and zip code of each cancer
patient. The health department denied the request, citing
the Medical Studies Act.
However, the dispute first originated in the 1980s
when citizens petitioned the department for the records.

That raises the question of whether the HIPAA privacy
rule would apply now as the case was brought well
before the rule=92s effective date.
The appeals court allowed the state public health department
to present further evidence after the 2001 decision,
which resulted in the June decision.
Schwartz=92s June 9 decision was based on a balancing
of the interest in releasing public records with the difficulty
in re-identifying patients. =93These questions are significant
because without some sense of the magnitude
of the alleged threat of which the defendants (the health
department) complain, it is very difficult for this court
to determine whether the data in question reasonably
tends to lead to the identity of specific persons,=94 he said.
The court decision may be of little long term value
for covered entities but may complicate matters.
While the court sealed Sweeney=92s methodology, it is

unlikely her specialized expertise will remain confined.
The attitude expressed by Judge Schwartz also was
adopted toward the threat of computer hackers in the
early 1990s when such efforts were deemed the province
only of experts. The subsequent development of publicly
available programs that create viruses and worms
and enable hacking are now commonplace.
Health agencies and covered entities already are finding
that some patients are astonished at how widely their
medical data is shared without the need for permission.
The fact that at least one expert knows how to de-identify
records may make it harder to reassure patients that their
confidentiality will be preserved.
The state said it was considering an appeal.
The court decision came shortly after the National Institutes
of Health and the Agency for Healthcare Research
and Quality held a HIPAA briefing in May for the research
community. Federal officials predicted that data-de-identification
would become more popular and necessary.