HHS wants contractor to test privacy of 'anonymous' data
The challenge is to see whether "de-identified" data can be "re-identified"
Can personal medical data that has been stripped of its identifiers to protect privacy later be used to identify a specific person? That is the question that the Health and Human Services Department is hoping a research contractor can answer.
HHS intends to hire a contractor to demonstrate either the “ability or inability” to re-identify data from a data set that has been de-identified under the Health Information Portability and Accountability Act (HIPAA) Privacy Rule, according to a Jan. 4 notice on the Federal Business Opportunities Web site.
De-identification and re-identification of patient data have become hot issues in the discussion about how to protect patient privacy while advancing adoption of electronic health records. The Obama administration is distributing at least $17 billion in incentive payments to doctors and hospitals who buy and use digital systems for medical data.
HHS’ Office of the National Coordinator for Health Information Technology will handle the solicitation and task order award. No date or award amount was described in the public notice.
The contractor to be hired must have experience conducting comprehensive research on re-identifying a HIPAA de-identified data set, the notice states.
Under HIPAA, hospitals and other health care providers de-identify personal medical data by removing the 18 identifiers in the data. The hospital or other entity does not have actual knowledge that the data could be used alone or in combinations to identify the individual.
Under this new contract, HHS will research re-identifying the data and matching it to a specific individual.
“The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude "brute force" matching, demonstrate the ability or inability to re-identify the data,” the notice states.
The re-identification must be an accurate and unambiguous match to an individual.
To protect the privacy of the personal medical data to be used in the project, the data will be prohibited from being shared in either its de-identified form or any other forms created in the project, the notice adds.
The contractor must deliver a complete report of his or her results, including a thorough explanation of methods, and, if applicable, software and lab notes.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.