The HIPAA privacy rule fails to provide patient privacy or data value for enterprises that want to leverage sensitive data to innovate and improve patient care. A patient’s health information is vulnerable to disclosure, through accident or bad actor, even if an organization adheres to HIPAA. HIPAA should have established a much higher standard of protection, such as GDPR, and has left a wake of personal health breaches for decades because of its imprecise and relaxed standards.
Under HIPAA, an organization cannot achieve privacy or accuracy, effectively rendering the rule useless in supporting needed innovation with meaningful compliance. HIPAA prescribes two de-identification (“DEID”) methods in order to use or disclose protected health information: the “safe harbor” and the expert determination methods. The “safe harbor” method simply requires that unique identifiers of the individual or of relatives, employers, or household members of the individual must be removed. The expert determination method requires an expert to use statistical, scientific principles to certify that the risk of re-identification is “very small”.
Neither method achieves adequate privacy and for this reason is disallowed in the EU under GDPR. As to data accuracy, both methods remove critical patient data and defeat the purpose of “liberating” data for use by data professionals. Meaningful analytics and AI/ML workflows require precise data joined with other data. DEID data has a high risk of re-identification and presents a scenario where neither accuracy or privacy is achieved because:
- Original data remains without any obfuscation; and
- Original data that remains can be combined with side information to identify an individual.
Although too many to list, recent successful attacks on HIPAA compliant de-identified data include the Northern California Household Exposure Study and the Motor Vehicle Accidents (MVA) data. For this reason, many privacy experts have raised concerns about DEID methods that HIPAA prescribes.
GDPR does not accept HIPAA style DEID methods for providing sufficient protection for individual privacy. Unlike HIPAA, GDPR does not prescribe any method, DEID or otherwise. As stated in the Johns Hopkins report on the subject: “A data set that is “de-identified” under HIPAA is not necessarily anonymized under the GDPR.” So organizations must use privacy enhanced technologies that go well beyond substandard HIPAA compliant DEID methods if they are to adequately serve innovation goals and compliance requirements to transform their business. They might even save themselves from the embarrassment and business losses associated from a future attack if they incorporate GDPR standards for their data today, and relegate HIPAA style DEID methods to the ash heap of history where it ought to rightly reside.