Model / Framework

Assessing and Minimizing Reidentification Risk in Research Data Derived from Health Care Records

Authors: {'first_name': 'Gregory E.', 'last_name': 'Simon'},{'first_name': 'Susan M.', 'last_name': 'Shortreed'},{'first_name': 'R. Yates', 'last_name': 'Coley'},{'first_name': 'Robert B.', 'last_name': 'Penfold'},{'first_name': 'Rebecca C.', 'last_name': 'Rossom'},{'first_name': 'Beth E.', 'last_name': 'Waitzfelder'},{'first_name': 'Katherine', 'last_name': 'Sanchez'},{'first_name': 'Frances L.', 'last_name': 'Lynch'}


Background: Sharing of research data derived from health system records supports the rigor and reproducibility of primary research and can accelerate research progress through secondary use. But public sharing of such data can create risk of re-identifying individuals, exposing sensitive health information.

Method: We describe a framework for assessing re-identification risk that includes: identifying data elements in a research dataset that overlap with external data sources, identifying small classes of records defined by unique combinations of those data elements, and considering the pattern of population overlap between the research dataset and an external source. We also describe alternative strategies for mitigating risk when the external data source can or cannot be directly examined.

Results: We illustrate this framework using the example of a large database used to develop and validate models predicting suicidal behavior after an outpatient visit. We identify elements in the research dataset that might create risk and propose a specific risk mitigation strategy: deleting indicators for health system (a proxy for state of residence) and visit year.

Discussion: Researchers holding health system data must balance the public health value of data sharing against the duty to protect the privacy of health system members. Specific steps can provide a useful estimate of re-identification risk and point to effective risk mitigation strategies.

Keywords: privacyelectronic health recordsconfidentialityHIPAAdata sharing 

Galley file missing.

Please contact support [at]