HHS wants contractor to test privacy of 'anonymous' data

The challenge is to see whether "de-identified" data can be "re-identified"

Can personal medical data that has been stripped of its identifiers to protect privacy later be used to identify a specific person? That is the question that the Health and Human Services Department is hoping a research contractor can answer.

HHS intends to hire a contractor to demonstrate either the “ability or inability” to re-identify data from a data set that has been de-identified under the Health Information Portability and Accountability Act (HIPAA) Privacy Rule, according to a Jan. 4 notice on the Federal Business Opportunities Web site.

De-identification and re-identification of patient data have become hot issues in the discussion about how to protect patient privacy while advancing adoption of electronic health records. The Obama administration is distributing at least $17 billion in incentive payments to doctors and hospitals who buy and use digital systems for medical data.

HHS’ Office of the National Coordinator for Health Information Technology will handle the solicitation and task order award. No date or award amount was described in the public notice.

The contractor to be hired must have experience conducting comprehensive research on re-identifying a HIPAA de-identified data set, the notice states.

Under HIPAA, hospitals and other health care providers de-identify personal medical data by removing the 18 identifiers in the data. The hospital or other entity does not have actual knowledge that the data could be used alone or in combinations to identify the individual.

Under this new contract, HHS will research re-identifying the data and matching it to a specific individual.

“The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude "brute force" matching, demonstrate the ability or inability to re-identify the data,” the notice states.

The re-identification must be an accurate and unambiguous match to an individual.

To protect the privacy of the personal medical data to be used in the project, the data will be prohibited from being shared in either its de-identified form or any other forms created in the project, the notice adds.

The contractor must deliver a complete report of his or her results, including a thorough explanation of methods, and, if applicable, software and lab notes.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Thu, Jan 7, 2010 technology http://www.sweethacks.com

De-identification and re-identification of patient data must me accurate to protect the privacy of the patient

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
 Top 100 Slideshow
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts