Inadvertent disclosure of protected health information (PHI) in randomly shifted date elements for de-identification

Tomasz Adamusiak MD PhD

7omasz

There is a high probability that some patients in your de-identified

data sets can have their dates re-identified on subsequent releases

if you randomly shift dates each time

Two methods for de-identification according to HIPAA Privacy Rule

• Expert determination § 164.514(b)(1)

• Safe harbor § 164.514(b)(1)

• Removal of dates -> data useless for research

• Date shifting ≠ removal (not safe harbor)

Patient John Doe De-identified data set 1 Date of birth randomly shifted by +/- 31 days

Time

The same patient In multiple de-identified data sets Date of birth randomly shifted by +/- 31 days

Time

Non-random interval 2*31+1 = 63 days

Time

Can you guess when the real DOB is?

Time

Can you guess when the real DOB is?

Time

In fact we only need two extremes

This probability can be estimated with binomial distribution

Pr = 2𝑛

2𝑝2 1 − 𝑝 𝑛−2

p – probability of shift to one of the extremes, e.g., 1/62 n – number of releases of data

Results

• For a single patient and two data releases the risk is relatively low (0.0005)

• For a hundred patients and ten releases on average two patients can be de-identified

• Larger sets and more releases higher risk

Conclusions

• Stop using random shifts immediately

• Evaluate the risk of disclosure for already released data

• Use a non-random value for the shift (e.g., [SSN digit +1] x 31).

Thank you

• Mary Shimoyama PhD