The Case for De-identification Khaled El Emam uOttawa & CHEO RI - - PDF document

the case for de identification
SMART_READER_LITE
LIVE PREVIEW

The Case for De-identification Khaled El Emam uOttawa & CHEO RI - - PDF document

Aug 18, 2023 170 likes •415 views

The Case for De-identification Khaled El Emam uOttawa & CHEO RI Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 1 Section 1 Electronic Health Information

slide-1
SLIDE 1

1

The Case for De-identification

Khaled El Emam uOttawa & CHEO RI

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-2
SLIDE 2

2

Section 1

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

M b fit t h i d t (

Benefits of Sharing Data

  • Many benefits to sharing data (as an

example for research data):

– Confirm published results – Availability of data for meta-analyses – Feedback to improve data quality Cost savings from not collecting the data

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

– Cost savings from not collecting the data again – Minimize need for participants to provide data repeatedly – Data for instruction and education

slide-3
SLIDE 3

3 M d t d d f h

I ncreased Demand for Health Data

  • More data needed for research purposes -

some in the health research community have phrased the stakes as: “It’s a matter of life and death”

  • Public health needs more data to detect and

manage disease outbreaks

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

  • With better data we can find efficiencies in

the healthcare system

  • Advertising and marketing efforts can be

more targeted if detailed consumer/ patient information is available

W k th th t d

Case for De-identification

  • We make the case that de-

identification is the main reasonable approach for many instances of sharing health information for secondary purposes under the legal framework that exists today

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

that exists today

slide-4
SLIDE 4

4

B tt i k t f i t l

Summary of Case

  • Better risk management for internal uses
  • Custodians reluctant to share data even when

permitted

  • Current consent models have disadvantages – de-id

the alternative

  • Breach notification not required if data is de-identified
  • Unexpected uses and disclosures – avoid surprises and

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

retain value in data if it is de-identified

  • Privacy protective behaviors by the public and erosion
  • f trust
  • Alternative access methods have important

disadvantages

D t ll t di l PHI if th

Limiting Principles

  • Do not collect, use, or disclose PHI if other

information will serve the purpose

  • For example, even if it is easier to disclose a

whole record, that should not be done if lesser information will reasonably satisfy the purpose

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

  • De-identification would be one element in

limiting the amount of PHI that is collected/ used/ disclosed

  • Same as “minimal necessary” criterion in the

US

slide-5
SLIDE 5

5

Section 2

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

Secondary Use/ Disclosure

individuals custodian recipient disclosure collection

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

agent use custodian disclosure

slide-6
SLIDE 6

6

M d t di l

Data Flows

  • Mandatory disclosures
  • Uses by an agent for secondary

purposes

  • Permitted discretionary disclosures for

secondary purposes (e.g., public health d h)

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

and research)

  • Other disclosures for secondary

purposes (e.g., marketing)

Section 3

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-7
SLIDE 7

7 D t b h b i id l ti l

Uses by Agents

  • Data breaches by insiders are relatively

common (between a quarter and half):

– Malicious: financial gain, revenge, dismissal – Accidental: loss of equipment, inadvertent disclosure

  • Applies to sub-contractors as well

D id tifi ti f i t ll d d t

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

  • De-identification of internally used data

protects against these internal breaches

Section 4

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-8
SLIDE 8

8 I th d t t di d t

Discretionary Disclosures

  • In many cases the data custodians do not

want to disclose patient information unless it is de-identified, even if it is permitted, e.g., for public health purposes

  • Providers are also concerned about their own

privacy

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

  • Most are willing to disclose patient data if it is

de-identified

Section 5

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-9
SLIDE 9

9

S ti it i t ibl

Obtaining Consent - I

  • Sometimes it is not possible or

practical to obtain individual consent:

– Making contact to obtain consent may reveal the individual’s condition to others against their wishes – The size of the population may be too large

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

The size of the population may be too large to obtain consent from everyone – Many patients may have relocated or died Th b l k f i ti

Obtaining Consent - I I

– There may be a lack of existing or continuing relationship with the patients – There is a risk of inflicting psychological, social or other harm by contacting individuals or their families in delicate circumstances

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

– It would be difficult to contact individuals through advertisements and other public notices

slide-10
SLIDE 10

10

I th h li it i di id l

I mpact of Obtaining Consent

  • In the case where explicit individual

consent is used, consenters and non- consenters differ on:

– age, sex, race, marital status, educational level, socioeconomic status, health status, mortality, lifestyle factors, functioning

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

  • a

y, y a

  • ,

u

  • g
  • The consent rate for express consent

varied from 16% to 93%

Section 6

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-11
SLIDE 11

11

Th b f d i l d i

Data Breach Notification

  • The number of records involved in

known data breaches is very high

  • Many jurisdictions have breach

notification laws

  • Breaches involving de-identified data

d b d

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

need not be reported N ti i t h i

Data Breach Notification Costs

  • Negative impact on share price
  • Reduced loyalty and trust from clients,

and discontinuing relationship with custodian

  • Cost to custodian ~ $300 per individual

( f

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

(notification, compensation, investigation, penalties, and litigation)

slide-12
SLIDE 12

12

M di l d t i fi i l

What are they worth ?

  • Medical records may contain financial

information

  • Financial value in medical records

themselves

  • Extortion attempts

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

Sale of Healthcare Data - I

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-13
SLIDE 13

13

Sale of Healthcare Data - I I

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-14
SLIDE 14

14

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

Section 7

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-15
SLIDE 15

15

Th i t h

Compelled Disclosures

  • There are many instances where

individuals have no choice but to disclose information:

– To obtain a service – more difficult with governments because they have a monopoly on some services

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

  • opo y o
  • – Prosecution
  • The public should demand that data be

de-identified at the earliest opportunity

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-16
SLIDE 16

16

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

H lth t ti i d t

Commercial Actors

  • Health systems are monetizing data
  • Competitions

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-17
SLIDE 17

17

Section 8

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

Secondary Purposes and the Public

  • The public is more willing for their health information
  • The public is more willing for their health information

to be used and disclosed for secondary purposes if it is de-identified

  • The amount of willingness will vary depending on

the exact purposes (eg, commercial vs. not-for- profit)

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-18
SLIDE 18

18

Patient Concerns

  • There is evidence (from surveys) that the general
  • There is evidence (from surveys) that the general

public has changed their behavior to adjust for perceived privacy risks wrt their PHI:

– 15% to 17% of US adults – 11% to 13% of Canadian adults

  • There is also evidence that vulnerable populations

exhibit similar behaviors (e g adolescents people

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

exhibit similar behaviors (e.g., adolescents, people with HIV or at high risk for HIV, those undergoing genetic testing, mental health patients and battered women)

Behavior Change - I

  • Going to another doctor
  • Going to another doctor
  • Paying out of pocket when insured to avoid

disclosure

  • Not seeking care to avoid disclosure to an employer
  • r to not be seen entering a clinic by other members
  • f the community
  • Giving inaccurate or incomplete information on

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

g p medical history

  • Asking a doctor not to record a health problem or

record a less serious or embarrassing one

slide-19
SLIDE 19

19

Behavior Change - I I

  • 87% of US physicians reported that a patient
  • 87% of US physicians reported that a patient

had asked them not to include certain information in their record

  • 78% of US physicians reported that they

have withheld information due to privacy concerns

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

concerns

S

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-20
SLIDE 20

20

Asymmetry Principle - I

  • Trust is hard to gain but easy to lose:
  • Trust is hard to gain but easy to lose:

– Negative events/news carry more weight than positive ones (negativity bias); it is more diagnostic – Avoiding loss – people weight negative information more greatly in an effort to avoid loss

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

– Sources of negative information appear more credible (positive information seems self-serving)

Asymmetry Principle - I I

People interpret information according to their – People interpret information according to their prior beliefs: if they have negative prior beliefs then negative events will re-enforce that and positive events will have little impact – Undecided individuals tend to be affected more by negative information P l ith iti i b li f f l

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

– People with positive prior beliefs may feel betrayed by negative information/events

slide-21
SLIDE 21

21

Section 9

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

T lt ti

Alternative Access Methods

  • Two common alternatives
  • Remote access:

– Users can access the identifiable raw data through “read-only” access – Option that remote access from designated locations

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

locations

  • On-site access:

– Requires users to be physically present in a secure facility

slide-22
SLIDE 22

22

B th

Alternative Access - Problems

  • Both:

– Users must be fully trusted – Cannot protect against spontaneous re-identification – Background checks may be time consuming

  • Remote access:

– Vulnerable to social engineering attacks that compromise credentials

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

p – Data is on the network

  • On-site access:

– Requires users to be physically present in a secure facility – limits access

Conclusions

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

slide-23
SLIDE 23

23

Th d id tifi ti f h lth i f ti h

Case for De-identification

  • The proper de-identification of health information when

used or disclosed for secondary purposes goes a long way to address the seven risks/ issues that were identified here

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1744038

www.ehealthinformation.ca

www.ehealthinformation.ca/ knowledgebase

kelemam@uottawa.ca

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca