Difference between revisions of "Anonymous"

From MgmtWiki
Jump to: navigation, search
m (De-identification)
m (De-identification)
 
Line 20: Line 20:
  
 
So long as information exists as [[PHI]], its use and disclosure are both limited by the Privacy Rule. HIPAA safe harbor de-identification is the process of the removal of specified identifiers of the patient, and of the patient’s relatives, household members, and employers.  The requirements of the HIPAA safe harbor de-identification process become fully satisfied if, and only if, after the removal of the specific identifiers, the covered entity has no actual knowledge that the remaining information could be used to identify the patient. Once protected health information has been de-identified, it is no longer considered to be PHI; as such, there are no longer restrictions on its use or disclosure. By definition, de-identified health information neither identifies nor provides a reasonable basis to identify a patient. Specific pieces of data (data elements) can, individually or in combination, be used to uniquely identify an individual. The following data elements can be used to uniquely identify, and, as such, must be de-identified under the safe harbor rule:
 
So long as information exists as [[PHI]], its use and disclosure are both limited by the Privacy Rule. HIPAA safe harbor de-identification is the process of the removal of specified identifiers of the patient, and of the patient’s relatives, household members, and employers.  The requirements of the HIPAA safe harbor de-identification process become fully satisfied if, and only if, after the removal of the specific identifiers, the covered entity has no actual knowledge that the remaining information could be used to identify the patient. Once protected health information has been de-identified, it is no longer considered to be PHI; as such, there are no longer restrictions on its use or disclosure. By definition, de-identified health information neither identifies nor provides a reasonable basis to identify a patient. Specific pieces of data (data elements) can, individually or in combination, be used to uniquely identify an individual. The following data elements can be used to uniquely identify, and, as such, must be de-identified under the safe harbor rule:
<pre>
+
 
Names
+
* Names
Geographic locators
+
*Geographic locators = In the case of zip codes, covered entities are generally permitted to use the first three digits, provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals.
In the case of zip codes, covered entities are generally permitted to use the first three digits, provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals.
+
* All elements of dates (except the year) that are related to an individual, including: admission and discharge dates, birth-date, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age.
All elements of dates (except the year) that are related to an individual, including: admission and discharge dates, birth-date, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age.
+
* Telephone, cellphone, and fax numbers
Telephone, cellphone, and fax numbers
+
* Email addresses
Email addresses
+
* IP addresses (IP addresses can be used to identify physical addresses)
IP addresses (IP addresses can be used to identify physical addresses)
+
* Social Security Numbers
Social Security Numbers
+
* Medical record numbers
Medical record numbers
+
* Health plan beneficiary numbers (i.e. the member ID on a patient’s health insurance card)
Health plan beneficiary numbers (i.e. the member ID on a patient’s health insurance card)
+
* Device identifiers and serial numbers (medical devices are assigned unique serial numbers)
Device identifiers and serial numbers (medical devices are assigned unique serial numbers)
+
* Certificate/license numbers (e.g., driver license numbers and birth certificate numbers)
Certificate/license numbers (e.g., driver license numbers and birth certificate numbers)
+
* Account numbers (e.g., bank account numbers)
Account numbers (e.g., bank account numbers)
+
* Vehicle identifiers and serial numbers, including license plates
Vehicle identifiers and serial numbers, including license plates
+
* Website URLs If a URL is logged within a specific application, the URL can be used to uniquely identify an individual  
Website URLs If a URL is logged within a specific application, the URL can be used to uniquely identify an individual  
+
* Full face photos and comparable images
Full face photos and comparable images
+
* [[Biometric Identifier]]s (including fingerprints, voice prints, and retinal images)
[[Biometric Identifier]]s (including fingerprints, voice prints, and retinal images)
+
* Any unique identifying numbers, characteristics or codes
Any unique identifying numbers, characteristics or codes
+
 
</pre>
 
 
Once these specific identifiers have been removed, the covered entity must have no actual knowledge that the remaining information could be used to identify the patient. If this “no actual knowledge” requirement has been satisfied, the PHI has been successfully de-identified under the safe harbor method.  There's the catch. As AI technology advances, this bar continues to move down to the point where the data is soon of very limited value. In other words, this safe harbor can only be used til the tide goes out, and this continues to be the direction the tide is taking.
 
Once these specific identifiers have been removed, the covered entity must have no actual knowledge that the remaining information could be used to identify the patient. If this “no actual knowledge” requirement has been satisfied, the PHI has been successfully de-identified under the safe harbor method.  There's the catch. As AI technology advances, this bar continues to move down to the point where the data is soon of very limited value. In other words, this safe harbor can only be used til the tide goes out, and this continues to be the direction the tide is taking.
  

Latest revision as of 13:54, 12 August 2022

Full Title or Meme

Literally Anonymous means no name.

Context

  • HTTP (used on Web Sites) was designed to operate without any identification and the REST protocol appears to enforce that paradigm. Cookies were invented to overcome that feature without the user even noticing.
  • Literally the term Anonymous means no name, but many users now mean that the name cannot be tracked back to the user. One would think that the term Pseudonymous would be what they mean, but somehow anonymous sounds more attractive to them. The confusion remains irreconcilable.

Problem

  • While some users may think that their attributes on distinct Web Sites cannot be correlated, research has shown that this goal will not be possible[1] That reality does not prevent users from trying to use Pseudonyms to remain Anonymous, but it will never work against a determined adversary.
  1. All HTTP connections come with an IP address which is often unique to the location of the computer.
  2. All HTTPS (secure) connections come with a session Identifier which is needed to maintain the secure connection.
  3. Most Web Sites record all HTTP connections for security purposes.
  4. If the user supply some sort of credential to allow access to site, the REST protocol effectively requires the use of cookies installed on the user machine to carry the sign in data from one HTTP request to the next.
  5. If the user expects any continuity from one sign in session to the next, some sort of user Identifier is required.
  • Perhaps the most clueless example of the false hope of anonymity is the sequencing company Nebula who offers to perform sequencing though the block chain for complete anonymity.[2] The problem, of course, is that there is no more sure indicator of your identity than you genome. In fact any police depart could immediate try to find you in a huge existing data base. But this is indicative of the utter cluelessness of the entire block-chain anonymity claims. In fact, they make searching for personal data easier than it has ever been before.
  • How AI can identify people even in anonymized datasets[3] Weekly social interactions form unique signatures that make people stand out

De-identification

Does HIPAA really allow PHI to be de-identified? (well - yes - sort of)

So long as information exists as PHI, its use and disclosure are both limited by the Privacy Rule. HIPAA safe harbor de-identification is the process of the removal of specified identifiers of the patient, and of the patient’s relatives, household members, and employers. The requirements of the HIPAA safe harbor de-identification process become fully satisfied if, and only if, after the removal of the specific identifiers, the covered entity has no actual knowledge that the remaining information could be used to identify the patient. Once protected health information has been de-identified, it is no longer considered to be PHI; as such, there are no longer restrictions on its use or disclosure. By definition, de-identified health information neither identifies nor provides a reasonable basis to identify a patient. Specific pieces of data (data elements) can, individually or in combination, be used to uniquely identify an individual. The following data elements can be used to uniquely identify, and, as such, must be de-identified under the safe harbor rule:

  • Names
  • Geographic locators = In the case of zip codes, covered entities are generally permitted to use the first three digits, provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals.
  • All elements of dates (except the year) that are related to an individual, including: admission and discharge dates, birth-date, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age.
  • Telephone, cellphone, and fax numbers
  • Email addresses
  • IP addresses (IP addresses can be used to identify physical addresses)
  • Social Security Numbers
  • Medical record numbers
  • Health plan beneficiary numbers (i.e. the member ID on a patient’s health insurance card)
  • Device identifiers and serial numbers (medical devices are assigned unique serial numbers)
  • Certificate/license numbers (e.g., driver license numbers and birth certificate numbers)
  • Account numbers (e.g., bank account numbers)
  • Vehicle identifiers and serial numbers, including license plates
  • Website URLs If a URL is logged within a specific application, the URL can be used to uniquely identify an individual
  • Full face photos and comparable images
  • Biometric Identifiers (including fingerprints, voice prints, and retinal images)
  • Any unique identifying numbers, characteristics or codes

Once these specific identifiers have been removed, the covered entity must have no actual knowledge that the remaining information could be used to identify the patient. If this “no actual knowledge” requirement has been satisfied, the PHI has been successfully de-identified under the safe harbor method. There's the catch. As AI technology advances, this bar continues to move down to the point where the data is soon of very limited value. In other words, this safe harbor can only be used til the tide goes out, and this continues to be the direction the tide is taking.

  • Before you accept the idea that it is possible for someone to collect data about you that does not identifier you, consider this: the more attributes that are linked together, the larger the pool of [people that are not you] gets. Eventually it gets to the point where you are the only one left in the pool of people that the attributes describe.
  • As Artificial Intelligence gets better, it can extract more information from data. Consider that in 2022 an algorithm made it possible to identify people by their heartbeat So that value is now just another biometric identifier.

Solution

  • The most trustworthy Web Sites will tell you when they identify you, but it has not be historically necessary that they do so.
  • Current legislation from the EU and California requires Web Sites to be more forthcoming about how they collect and use data.
  • Well-meaning Technology Solutions are proclaimed every few months, none really work for any extended period of time if there is any Credential Aggregation needed by an individual. For example the State of Rhode Island cooperated with Brown University[4] to show how that state could overcome identification. Given the information in the first reference, it is only a matter of time before some other Academics will recover individual identities.

References

  1. Gina Kolata, Can Data be Fully Anonymous? New Algorithms can still identify you New York Times (2019-07-24) p A8.
  2. Megan Moteni,You can soon get Your DNA sequenced Anonymously (2019-09-19) https://www.wired.com/story/you-can-soon-get-your-dna-sequenced-anonymously
  3. Nikk Ogasa, How AI can identify people even in anonymized datasets Science News (2022-01-25) https://www.sciencenews.org/article/ai-identify-anonymous-data-phone-neural-network
  4. Justine S. Hastings +4, Unlocking Data to Improve Public Policy. CACM 62 (2019-10) p. 48ff