HHS wants contractor to test privacy of 'anonymous' data

The challenge is to see whether "de-identified" data can be "re-identified"

Can personal medical data that has been stripped of its identifiers to protect privacy later be used to identify a specific person? That is the question that the Health and Human Services Department is hoping a research contractor can answer.

HHS intends to hire a contractor to demonstrate either the “ability or inability” to re-identify data from a data set that has been de-identified under the Health Information Portability and Accountability Act (HIPAA) Privacy Rule, according to a Jan. 4 notice on the Federal Business Opportunities Web site.

De-identification and re-identification of patient data have become hot issues in the discussion about how to protect patient privacy while advancing adoption of electronic health records. The Obama administration is distributing at least $17 billion in incentive payments to doctors and hospitals who buy and use digital systems for medical data.

HHS’ Office of the National Coordinator for Health Information Technology will handle the solicitation and task order award. No date or award amount was described in the public notice.

The contractor to be hired must have experience conducting comprehensive research on re-identifying a HIPAA de-identified data set, the notice states.

Under HIPAA, hospitals and other health care providers de-identify personal medical data by removing the 18 identifiers in the data. The hospital or other entity does not have actual knowledge that the data could be used alone or in combinations to identify the individual.

Under this new contract, HHS will research re-identifying the data and matching it to a specific individual.

“The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude "brute force" matching, demonstrate the ability or inability to re-identify the data,” the notice states.

The re-identification must be an accurate and unambiguous match to an individual.

To protect the privacy of the personal medical data to be used in the project, the data will be prohibited from being shared in either its de-identified form or any other forms created in the project, the notice adds.

The contractor must deliver a complete report of his or her results, including a thorough explanation of methods, and, if applicable, software and lab notes.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • People
    Dr. Ronny Jackson briefs the press on President Trump

    Uncertainty at VA after nominee withdraws

    With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.