Re-Identification Risk in HIPAA De-Identified Datasets: The MVA Attack

We present a re-identification attack that uses indirect (non-HIPAA) identifiers to target a vulnerable subset of records de-identified to the HIPAA Safe Harbor standard, those involving motor vehicle accidents (MVAs). Documentation of an MVA in a patient note creates a significant risk to patient p...

Full description

Saved in:
Bibliographic Details
Published in:AMIA ... Annual Symposium proceedings 2018, Vol.2018, p.1329-1337
Main Authors: Janmey, Victor, Elkin, Peter L
Format: Article
Language:English
Subjects:
Accidents, Traffic
Confidentiality
Data Anonymization
Datasets as Topic
Health Insurance Portability and Accountability Act
Humans
Male
Risk
United States
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:We present a re-identification attack that uses indirect (non-HIPAA) identifiers to target a vulnerable subset of records de-identified to the HIPAA Safe Harbor standard, those involving motor vehicle accidents (MVAs). Documentation of an MVA in a patient note creates a significant risk to patient privacy through the MVA re-identification attack, with a relative risk of 537 compared to the general population. Patients in a significant MVA resulting in either permanent injury, hospitalization or death (for any victim) should have the accident location information omitted due to the significant risk of re-identification of HIPAA de-identified data. Clinicians should also consider omitting location information for any MVA, as it significantly increases the risk of re-identification.
ISSN:1559-4076