UPI reports on a new study about re-identification of so-called “anonymized” prescription data. “Evaluating the Risk of Re-identification of Patients from Hospital Prescription Records” by Khaled El Emam, Fida K Dankar, Régis Vaillancourt, Tyson Roffey, and Mark Lysyk was published in The Canadian Journal of Hospital Pharmacy.
Emam said many retail pharmacies in Canada sell prescription records to commercial data aggregators who perform analyses for the pharmaceutical companies. The potential privacy risk in such a practice, the researchers said, is if the patients can be re-identified from this data.
The study, Emam said, demonstrates a methodology for deciding which data to keep and which to de-identify, since hospital prescription data contains details such as where patients live and when they were admitted to the hospital.
The risk analysis performed in the study outlines a way to maintain patients’ privacy by generalizing and removing some variables, such as postal codes, gender and admission and discharge dates before they are shared with outside companies.
In 2007, I was co-counsel on an amicus curiae brief (pdf) in IMS Health v. Ayotte, a case about a New Hampshire state law that banned the sale of prescriber-identifiable prescription drug data for marketing purposes. When passing the prescription confidentiality law, the New Hampshire legislature noted the privacy interests that patients and physicians have in preventing third parties from receiving in-depth data on every prescription written.
The marketing companies in the New Hampshire case weren’t asking for data that would outright link individuals to their prescriptions. However, there are privacy problems that can arise from “de-identified data.” In the amicus brief that I was co-counsel on, we detailed these problems, arguing:
Although de-identification measures are increasingly innovative and computationally complex, patient data is still vulnerable to attacks because sophisticated re-identification programs are also being developed. Individuals can be re-identified using information such as zip code, date of birth, and gender and then comparing that data to publicly available information. Such information is easily accessible via birth and death records, incarceration reports, voter registration files, and driver’s licensing information.
Maine and Vermont have similar prescription confidentiality laws; several states are considering such laws.
Last month, Ars Technica had a good article explaining why so-called “anonymized” data usually isn’t anonymous at all.