As electronic health records start to become pervasive in physician practices--thanks in no small measure to federal incentives--there's a growing worry that electronically-collected health data could violate individual privacy, even when the data has been stripped of personally identifiable information.

Testifying before a House panel on Sept. 30, Deven McGraw, director of the health privacy project at the Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee, warned that de-identified health data released for analytical purposes can still be traced back to individuals.

"There is value to making data that has a very low risk of re-identification available for a broad range of purposes, as long as the standards for de-identification are rigorous, and there are sufficient prohibitions against re-identification. Neither condition is present today," McGraw wrote in her prepared testimony for the House Science and Technology subcommittee on technology and innovation.

Although the Health Insurance Portability and Accountability Act generally protects patient privacy, it does not extend to health information that qualifies as "de-identified," McGraw said. As a result, if a recipient of de-identified data then re-identifies the patients in question, there's nothing in HIPAA to prevent that, she added. Third parties could use information in supposedly de-identified data such as date of service, left there for research purposes such as tracking health trends.

The Office of the National Coordinator for Health IT is studying the issue. Its head, David Blumenthal--who once assured a public audience that a data exchange model used for health purposes is not a CIA plot--told the House panel that the study is ongoing.

Even when the Health and Human Services Department does arrive at a consensus of what level of risk for re-identification is acceptable, that consensus will have to be continually re-assessed, Blumenthal added.

It's "going to require that we continually look at the Internet and the information that's available...It's a judgment that we're going to have to continue to make based on how the technology advances," he said.

For more:
- go to the hearing webpage, or directly to the webcast
- download Deven McGraw's prepared testimony (.pdf)

Related Articles:
Report: EHRs will capture only a minority of meaningful use data
'Meaningful use' EHR rule now final
Blumenthal: NIEM is not a CIA Trojan Horse