The U.S. Department of Health and Human Services (HHS) is about to rule whether health care entities will need to notify patients if their de-identified data — patient data that has been stripped of all potential for identifying individuals, which is often used for research and development — is breached. As it stands now, de-identified data is not subject to the new breach-notification rules imposed by the HITECH privacy provisions of the 2009 American Recovery and Reinvestment Act (ARRA) stimulus package. The debate pits privacy activists on the one side — who often support notification — with health care organizations on the other, which say the quality of health care hangs in the balance.
This debate hasn’t been getting much attention. That’s unfortunate, because the outcome could have broader implications within the U.S. and even around the world. Validating that personal data can be de-identified in a way that still retains commercial and social usefulness could set a precedent for many other privacy-related standards and debates.
Read more on Computerworld.
http://twitter.com/HITshrink/statuses/2854114191
Links to HITSP’s Anonymize component, which establishes a standard methodology to de-identify PHI.
Thank you! For readers leery about clicking on links, the bit.ly link in that message redirects to: http://wiki.hitsp.org/docs/C25/C25-1.html