Top

BMC Medical Informatics and Decision Making

Published in:

Open Access 01-12-2012 | Research article

Estimating the re-identification risk of clinical data sets

Authors: Fida Kamal Dankar, Khaled El Emam, Angelica Neisa, Tyson Roffey

Published in: BMC Medical Informatics and Decision Making | Issue 1/2012

Abstract

Background

De-identification is a common way to protect patient privacy when disclosing clinical data for secondary purposes, such as research. One type of attack that de-identification protects against is linking the disclosed patient data with public and semi-public registries. Uniqueness is a commonly used measure of re-identification risk under this attack. If uniqueness can be measured accurately then the risk from this kind of attack can be managed. In practice, it is often not possible to measure uniqueness directly, therefore it must be estimated.

Methods

We evaluated the accuracy of uniqueness estimators on clinically relevant data sets. Four candidate estimators were identified because they were evaluated in the past and found to have good accuracy or because they were new and not evaluated comparatively before: the Zayatz estimator, slide negative binomial estimator, Pitman’s estimator, and mu-argus. A Monte Carlo simulation was performed to evaluate the uniqueness estimators on six clinically relevant data sets. We varied the sampling fraction and the uniqueness in the population (the value being estimated). The median relative error and inter-quartile range of the uniqueness estimates was measured across 1000 runs.

Results

There was no single estimator that performed well across all of the conditions. We developed a decision rule which selected between the Pitman, slide negative binomial and Zayatz estimators depending on the sampling fraction and the difference between estimates. This decision rule had the best consistent median relative error across multiple conditions and data sets.

Conclusion

This study identified an accurate decision rule that can be used by health privacy researchers and disclosure control professionals to estimate uniqueness in clinical data sets. The decision rule provides a reliable way to measure re-identification risk.

Available only for authorised users

Beyond the HIPAA Privacy Rule: Enhancing privacy, improving health through research. Edited by: Nass S, Levit L, Gostin L. 2009, Washington, DC: National Academies Press

Damschroder L, Pritts J, Neblo M, Kalarickal R, Creswell J, Hayward R: Patients, privacy and trust: Patients' willingness to allow researchers to access their medical records. Soc Sci Med. 2007, 64: 223-235. 10.1016/j.socscimed.2006.08.045.CrossRefPubMed

Mayer TS: Privacy and Confidentiality Research and the US Census Bureau: Recommendations based on a review of the literature. 2002, Washington, DC: US Bureau of the Census

Singer E, van Hoewyk J, Neugebauer RJ: Attitudes and Behaviour: The impact of privacy and confidentiality concenrs on participation in the 2000 census. Public Opin Q. 2003, 67: 368-384. 10.1086/377465.CrossRef

Council. NR: Privacy and Confidentiality as Factors in Survey Response. 1979, Washington: National Academy of Sciences

Martin E: Privacy Concerns and the Census Long Form: Some evidence from Census 2000. Annual Meeting of the American Statistical Association. 2001, Washington, DC

Robeznieks A: Privacy fear factor arises. Mod Healthc. 2005, 35 (46): 6-PubMed

Becker C, Taylor M: Technical difficulties: Recent health IT security breaches are unlikely to improve the public's perception about the safety of personal data. Mod Healthc. 2006, 38 (8): 6-7.

Office for Civil Rights: Annual report to congress on breaches of unsecured protected health information for calendar years 2009 and 2010. 2011, US Department of Health and Human Services

10.

Fienberg S, Martin M, Straf M: Sharing Research Data. 1985, Committee on National Statistics, National Research Council

11.

Hutchon D: Publishing raw data and real time statistical analysis on e-journals. Br Med J. 2001, 322 (3): 530-CrossRef

12.

Are journals doing enough to prevent fraudulent publication?. Can Med Assoc J. 2006, 174 (4): 431-

13.

Abraham K: Microdata access and labor market research: The US experience. Allegmeines Stat Archiv. 2005, 89: 121-139.

14.

Vickers A: Whose data set is it anyway ? Sharing raw data from randomized trials. Trials. 2006, 7: 15-10.1186/1745-6215-7-15.CrossRefPubMedPubMedCentral

15.

Altman D, Cates C: Authors should make their data available. BMJ. 2001, 323: 1069-CrossRefPubMedPubMedCentral

16.

Delamothe T: Whose data are they anyway ?. BMJ. 1996, 312: 1241-1242. 10.1136/bmj.312.7041.1241.CrossRefPubMedPubMedCentral

17.

Smith GD: Increasing the accessibility of data. BMJ. 1994, 308: 1519-1520. 10.1136/bmj.308.6943.1519.CrossRefPubMedPubMedCentral

18.

Commission of the European Communities: On scientific information in the digital age: Access, dissemination and preservation. 2007

19.

Lowrance W: Access to collections of data and materials for health research: A report to the Medical Research Council and the Wellcome Trust. 2006, Medical Research Council and the Wellcome Trust

20.

Yolles B, Connors J, Grufferman S: Obtaining access to data from government-sponsored medical research. NEJM. 1986, 315 (26): 1669-1672. 10.1056/NEJM198612253152608.CrossRefPubMed

21.

Hogue C: Ethical issues in sharing epidemiologic data. J Clin Epidemiol. 1991, 44 (Suppl. I): 103S-107S.CrossRefPubMed

22.

Hedrick T: Justifications for the sharing of social science data. Law Hum Behav. 1988, 12 (2): 163-171.CrossRef

23.

Mackie C, Bradburn N: Improving access to and confidentiality of research data: Report of a workshop. 2000, Washington: The National Academies Press

24.

Pullman D: Sorry, you can't have that information: Stakeholder awareness, perceptions and concerns regarding the disclosure and use of personal health information. e-Health 2006. 2006

25.

OIPC Stakeholder Survey, 2003: Highlights Report. 2003

26.

Willison D, Schwartz L, Abelson J, Charles C, Swinton M, Northrup D, Thabane L: Alternatives to project-specific consent for access to personal information for health research: What is the opinion of the Canadian public ?. J Am Med Inform Assoc. 2007, 14: 706-712. 10.1197/jamia.M2457.CrossRefPubMedPubMedCentral

27.

Nair K, Willison D, Holbrook A, Keshavjee K: Patients' consent preferences regarding the use of their health information for research purposes: A qualitative study. J Health Serv Res Policy. 2004, 9 (1): 22-27. 10.1258/135581904322716076.CrossRefPubMed

28.

Kass N, Natowicz M, Hull S: The use of medical records in research: what do patients want?. J Law Med Ethics. 2003, 31: 429-433. 10.1111/j.1748-720X.2003.tb00105.x.CrossRefPubMedPubMedCentral

29.

Whiddett R, Hunter I, Engelbrecht J, Handy J: Patients' attitudes towards sharing their health information. Int J Med Inf. 2006, 75: 530-541. 10.1016/j.ijmedinf.2005.08.009.CrossRef

30.

Pritts J: The importance and value of protecting the privayc of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. 2008, Available from: http://iom.edu/Object.File/Master/53/160/Pritts%20Privacy%20Final%20Draft%20web.pdf. Accessed on: July 15, 2009.

31.

Bethlehem J, Keller W, Pannekoek J: Disclosure control of microdata. J Am Stat Assoc. 1990, 85 (409): 38-45. 10.1080/01621459.1990.10475304.CrossRef

32.

Sweeney L: Uniqueness of Simple Demographics in the US Population. 2000, Carnegie Mellon University, Laboratory for International Data Privacy

33.

El Emam K, Brown A, Abdelmalik P: Evaluating Predictors of Geographic Area Population Size Cutoffs to Manage Re-identification Risk. J Am Med Inform Assoc. 2009, 16 (2): 256-266. 10.1197/jamia.M2902. [PMID: 19074299].CrossRefPubMedPubMedCentral

34.

Golle P: Revisiting the uniqueness of simple demographics in the US population. 2006, Workshop on Privacy in the Electronic SocietyCrossRef

35.

El Emam K, Brown A, AbdelMalik P, Neisa A, Walker M, Bottomley J, Roffey T: A method for managing re-identification risk from small geographic areas in Canada. BMC Med Inform Decis Mak. 2010, 10: 18-10.1186/1472-6947-10-18.CrossRefPubMedPubMedCentral

36.

Koot M, Noordende G, de Laat C: A study on the re-identifiability of Dutch citizens. Workshop on Privacy Enhancing Technologies (PET 2010). 2010

37.

Department of Health and Human Services: Standards for privacy of individually identifiable health information. 2000, Federal Register, Available from: http://aspe.hhs.gov/admnsimp/final/PvcFR06.txt. Archived at: http://www.webcitation.org/5tqU5GyQX.

38.

Department of Health and Human Services: Standards for privacy of individually identifiable health information. 2000, Federal Register, Available from: http://aspe.hhs.gov/admnsimp/final/PvcFR05.txt. Archived at: http://www.webcitation.org/5tqULb7hT.

39.

Benitez K, Malin B: Evaluating re-identification risks with respect to the HIPAA privacy rule. J Am Med Inform Assoc. 2010, 17 (2): 169-177. 10.1136/jamia.2009.000026.CrossRefPubMedPubMedCentral

40.

Statistics Canada: Canadian Community Health Survey (CCHS) Cycle 3.1 (2005) Public Use Microdata File (PUMF) User Guide. 2006

41.

Statistics Canada: Canadian Community Health Survey: Public Use Microdata File. 2009, Available from: http://www.statcan.gc.ca/bsolc/olc-cel/olc-cel?catno=82M0013X&lang=eng.

42.

Statistics Canada: 2001 Census Public Use Microdata File: Individuals file user documentation. 2001

43.

Dale A, Elliot M: Proposals for the 2001 samples of anonymized records: An assessment of disclosure risk. J R Stat Soc. 2001, 164 (3): 427-447. 10.1111/1467-985X.00212.CrossRef

44.

Marsh C, Skinner C, Arber S, Penhale B, Openshaw S, Hobcraft J, Lievesley D, Walford N: The case for samples of anonymized records from the 1991 census. J R Stat Soc A Stat Soc. 1991, 154 (2): 305-340. 10.2307/2983043.CrossRef

45.

Marsh C, Dale A, Skinner C: Safe data versus safe settings: Access to microdata from the British census. Int Stat Rev. 1994, 62 (1): 35-53. 10.2307/1403544.CrossRef

46.

El Emam K, Paton D, Dankar F, Koru G: De-identifying a Public Use Microdata File from the Canadian National Discharge Abstract Database. BMC Med Inform Decis Mak. 2011, 11: 53-10.1186/1472-6947-11-53.CrossRefPubMed

47.

El Emam K, Dankar F: Protecting privacy using k-anonymity. J Am Med Inform Assoc. 2008, 15: 627-637. 10.1197/jamia.M2716.CrossRefPubMedPubMedCentral

48.

Dalenius T: Finding a needle in a haystack or identifying anonymous census records. J Official Stat. 1986, 2 (3): 329-336.

49.

El Emam K, Jabbouri S, Sams S, Drouet Y, Power M: Evaluating common de-identification heuristics for personal health information. J Med Internet Res. 2006, 8 (4): e28-10.2196/jmir.8.4.e28. [PMID: 17213047].CrossRefPubMedPubMedCentral

50.

El Emam K, Jonker E, Sams S, Neri E, Neisa A, Gao T, Chowdhury S: Pan-Canadian De-Identification Guidelines for Personal Health Information. 2007, Ottawa: Privacy Commissioner of Canada

51.

Canadian Institutes of Health Research: CIHR best practices for protecting privacy in health research. 2005, Ottawa: Canadian Institutes of Health Research

52.

ISO/TS 25237: Health Informatics: Pseudonymization. 2008, Geneva: International Organization for Standardization

53.

Yakowitz J: Tragedy of the Commons. Harvard J Law Technol. 2011, 25 (1): 2-66.

54.

Skinner G, Elliot M: A measure of disclosure risk for microdata. J R Stat Soc Ser B. 2002, 64 (Part 4): 855-867.CrossRef

55.

National Committee on Vital and Health Statistics: Report to the Secretary of the US Department of Health and Human Services on Enhanced Protections for Uses of Health Data: A Stewardship Framework for "Secondary Uses" of Electronically Collected and Transmitted Health Data. 2007

56.

Sweeney L: Data sharing under HIPAA: 12 years later. Workshop on the HIPAA Privacy Rule's De-Identification Standard. 2010, Washington: Department of Health and Human Services

57.

Lafky D: The Safe Harbor method of de-identification: An empirical test. Fourth National HIPAA Summit West. 2010

58.

Skinner C, Holmes D: Modeling population uniqueness. Proceedings of the International Seminar on Statistical Confidentiality. 1993

59.

Johnson N, Kotz S, Kemp A: Univariate discrete distributions. 2005, Hoboken: WileyCrossRef

60.

Takemara A: Some superpopulation models for estimating the number of population uniques. Proceedings of the Conference on Statistical Data Protection. 1999

61.

Ewens W: Population genetics theory - the past and the future. Mathematical and statistical development of evolutionary theory. Edited by: Lessard Kluwer S. 1990, Springer: New York, 177-227.CrossRef

62.

Pitman J: Random discrete distribution invariant under size based permutation. Adv Appl Probability. 1996, 28: 525-539. 10.2307/1428070.CrossRef

63.

Hoshino N: Applying Pitman's sampling formula to microdata disclosure risk assessment. J Official Stat. 2001, 17 (4): 499-520.

64.

Chen G, Keller-McNulty S: Estimation of identification disclosure risk in microdata. J Official Stat. 1998, 14 (1): 79-95.

65.

Benedetti R, Franconi L: Statistical and technological solutions for controlled data dissemination. Proceedings of New Techniques and Technologies for Statistics (vol. 1). 1998

66.

Zayatz L: Estimation of the percent of unique population elements on a microdata file using the sample. 1991, Washington: US Bureau of the Census

67.

El Emam K, Dankar F, Vaillancourt R, Roffey T, Lysyk M: Evaluating patient re-identification risk from hospital prescription records. Can J Hospital Pharm. 2009, 62 (4): 307-319.

68.

Howe H, Lake A, Shen T: Method to assess identifiability in electronic data files. Am J Epidemiol. 2007, 165 (5): 597-601.CrossRefPubMed

69.

Howe H, Lake A, Lehnherr M, Roney D: Unique record identification on public use files as tested on the 1994–1998 CINA analytic file. 2002, North American Association of Central Cancer Registries

70.

El Emam K: Heuristics for de-identifying health data. IEEE Security and Privacy. 2008, 6 (4): 58-61.CrossRef

71.

Seni G, Elder J: Ensemble methods in data mining. 2010, San Rafael: Morgan & Claypool

72.

Hastie T, Tibshirani R, Friedman J: The Elements of Statistical Learning: Data Mining, Inference, and Prediction. 2009, New York: SpringerCrossRef

73.

Breiman L, Friedman J, Olshen R, Stone C: Classification and Regression Trees. 1984, Belmont: Wadsworth and Brooks/Cole

74.

Consumer-Purchaser Disclosure Project: The state experience in health quality data collection. 2004, Washington DC: National Partnership for Women & Families, Available from http://healthcaredisclosure.org/links/files/DataCollection.pdf.

75.

El Emam K, Mercer J, Moreau K, Grava-Gubins I, Buckeridge D, Jonker E: Physician privacy concerns when disclosing patient data to public health authorities for disease outbreak surveillance. BMC Public Health. 2011, 11: 454-10.1186/1471-2458-11-454.CrossRefPubMedPubMedCentral

76.

Bell S: Alleged LTTE front had voter lists. National Post. 2006

77.

Bell S: Privacy chief probes how group got voter lists. National Post. 2006

78.

Freeze C, Clark C: Voters lists 'most disturbing' items seized in Tamil raids, documents say. Globe and Mail. 2008, Available from: http://www.theglobeandmail.com/servlet/story/RTGAM.20080507.wxtamilssb07/BNStory/National/home. Archived at: http://www.webcitation.org/5Xe4UWJKP.

79.

Dankar F, El Emam K: The Application of Differential Privacy to Health Data. Proceedings of he 5th International Workshop on Privacy and Anonymity in the Information Society (PAIS). 2012

80.

Department of Health and Human Services: Office of Civil Rights. Breaches Affecting 500 or More Individuals. 2010, Available from: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.

81.

El Emam K, Dankar F, Issa R, Jonker E, Amyot D, Cogo E, Corriveau J-P, Walker M, Chowdhury S, Vaillancourt R, Roffey T, Bottomley J: A Globally Optimal k-Anonymity Method for the De-identification of Health Data. J Am Med Inf Assoc. 2009, 16 (5): 670-682. 10.1197/jamia.M3144.CrossRef

82.

El Emam K: Risk-based de-identification of health data. IEEE Security and Privacy. 2010, 8 (3): 64-67.CrossRef

83.

El Emam K: Method and Experiences of Risk-Based De-identification of Health Information. Workshop on the HIPAA Privacy Rule's De-Identification Standard. 2010, Department of Health and Human Services

84.

Cavoukian A, El Emam K: A Positive-Sum Paradigm in Action in the Health Sector. 2010, Office of the Information and Privacy Commissioner of Ontario

85.

Dwork C, McSherry F, Nissim K, Smith A: Calibrating Noise to Sensitivity in Private Data Analysis. 3rd theory of cryptography conference. 2006

86.

Dwork C: Differential privacy: A survey of results. Proceedings of the 5th International Conference on Theory and Applications of Models of Computation. 2008

87.

Dwork C: Differential Privacy. Automata, Languages and Programming. 2006

88.

Dankar F, El Emam K: The Application of Differential Privacy to Health Data. The 5th International Workshop on Privacy and Anonymity in the Information Society (PAIS). 2012

89.

Lee J, Clifton C: How Much Is Enough? Choosing epsilon for Differential Privacy. 2011, Information Security

90.

Sarathy R, Muralidhar K: Some Additional Insights on Applying Differential Privacy for Numeric Data. 2010, Privacy in Statistical Databases, 210-219.

91.

Samarati P, Sweeney L: Protecting privacy when disclosing information: k-anonymity and its enforcement through generalisation and suppression. 1998, SRI International

92.

Samarati P: Protecting respondents' identities in microdata release. IEEE Transactions on Knowledge and Data Engineering. 2001, 13 (6): 1010-1027. 10.1109/69.971193.CrossRef

93.

Sweeney L: k-anonymity: a model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems. 2002, 10 (5): 557-570. 10.1142/S0218488502001648.CrossRef

94.

Ciriani V, di Vimercati SSF DC, Samarati P: k-Anonymity, in Secure Data Management in Decentralized Systems. 2007, New York: Springer

95.

Haas P, Stokes L: Estimating the number of classes in a finite population. J Am Stat Assoc. 1998, 93 (444): 1475-1487. 10.1080/01621459.1998.10473807.CrossRef

The pre-publication history for this paper can be accessed here:http://www.biomedcentral.com/1472-6947/12/66/prepub

Title: Estimating the re-identification risk of clinical data sets
Authors: Fida Kamal Dankar
Khaled El Emam
Angelica Neisa
Tyson Roffey
Publication date: 01-12-2012
Publisher: BioMed Central
Published in: BMC Medical Informatics and Decision Making / Issue 1/2012
Electronic ISSN: 1472-6947
DOI: https://doi.org/10.1186/1472-6947-12-66

At a glance: The STEP trials

Springer Medicine

Estimating the re-identification risk of clinical data sets

Abstract

Background

Methods

Results

Conclusion

At a glance: The STEP trials

Springer Medicine

Abstract

Background

Methods

Results

Conclusion

Please log in to get access to this content

Other articles of this Issue 1/2012

e-MIR2: a public online inventory of medical informatics resources

Predictive modelling: parents’ decision making to use online child health information to increase their understanding and/or diagnose or treat their child’s health

Computational challenges and human factors influencing the design and use of clinical research participant eligibility pre-screening tools

Technical support and delegation to practice staff – status quo and (possible) future perspectives for primary health care in Germany

Improving the Effectiveness of Electronic Health Record-Based Referral Processes

Reaching consensus on the physiotherapeutic management of patients following upper abdominal surgery: a pragmatic approach to interpret equivocal evidence