De-identification of free text data involves identifying protected health information (PHI) within medical records, specifically within free text data fields. It involves masking, coding, or replacing the captured PHI with irreversible values so that it is irreversible to unauthorized personnel. De-identification means that explicit identifiers are hidden or removed. It aims to comply with HIPAA Safe Harbor categories for de-identifying data. Natural language text can contain mistakes, and de-identification tools allow enabling or disabling the de-identification of certain information like patient names, locations, dates. Anonymization differs from de-identification in that it guarantees any dataset only contains ambiguous or multiple identical records so the data cannot be linked to identify a patient.
2. What is de-identification?
• Identification of PHI within medical records
• Specifically for our work: identification of PHI
within any free text data fields
• Masking, coding and/or replacing captured PHI
with irreversible values (i.e. irreversible to
unauthorized personnel) [Gupta et al., 2004]
• De-identification means that explicit identifiers are
hidden or removed [Meystre et al., 2010]
3. HIPAA Safe Harbour Categories
[Gupta et al., 2004; Neamatullah et al., 2008; Meystre et al., 2010]
Names [immediate issue of names of drugs Health plan beneficiary numbers
administered]
Geographic locations smaller than a Account numbers
state/county, including zip codes or post codes
All elements of dates except years relating to Certificate and license numbers
individuals e.g. admission/discharge dates
All elements of dates including year indicative of Vehicle identifiers e.g. Serial numbers and license
age > 89 [aggregation and age banding permitted plate numbers
as substitutions]
Telephone numbers Device identifiers and serial numbers (not
restricted to medical devices)
Fax numbers URLs
Email addresses IP addresses
Social security numbers Biometric identifiers (including finger and voice
prints)
Medical record numbers Any other unique identifying number,
characteristic or code (e.g. full-face photos, or
photos of scars and tattoos)
6. Examples (1): natural language contains mistakes
1. New patient at the surgery. Mrs Dobson has
hypertension and hyperthyroidism...
2. This is a follow-up appointment. Mrs courteney is
generally well. Discussed about compliance on
medication...
7. Examples (1): natural language contains mistakes
1. New patient at the surgery. [Patient name] has
hypertension and hyperthyroidism...
2. This is a follow-up appointment. Mrs courteney is
generally well. Discussed about compliance on
medication...
8. Examples (2): enabling or disabling de-identification
1. Mrs Jodie Joyce. 10 minute consultation, recently
moved into a new area of Leeds. Patient expressed
feeling busy and stressed at work.
2. [Patient name]. 10 minute consultation, recently
moved into a new area of [place name]. Patient
expressed feeling busy and stressed at work.
3. [Patient name]. 10 minute consultation, recently
moved into a new area of Leeds. Patient expressed
feeling busy and stressed at work.
9. References
Gupta; Saul; Gilbertson. 2004. Evaluation of a Deidentification (De-Id)
Software Engine to Share Pathology Reports and Clinical Documents for
Research. American Journal of Clinical Pathology. 121.(2): 176-186
Meystre; Friedlin; South; Shen; Samore. 2010. Automatic de-identification of
textual documents in the electronic health record: a review of recent
research. Medical Research Methodology 2010. 10.70
Neamatullah; Douglass; Lehman; Reisner; Villarroel; Long; Szolovits; Moody;
Mark; Clifford. 2008. Automated de-identification of free-text medical
records. In BMC Medical Informatics and Decision Making.
10. What is anonymisation for e-health?
And how does it differ from de-identification?
NLP
• Anonymisation is identification of PHI within medical text
• Then masking, coding and/or replacing captured PHI with irreversible
values i.e. irreversible to unauthorized personnel [Gupta et al., 2004]
Data storage/management
• Creation of datasets that contain no unique records
• This guarantees that any dataset only contains ambiguous records or
records with multiple identical instances [Berman, 2002]
Concepts
• Both terms are often used interchangeably, which is problematic
• There is a difference between anonymisation and de-identification
• Anonymisation implies that data cannot be linked to identify the patient
• Deidentification only means that explicit identifiers are hidden or removed
[Meystre et al., 2010]
Editor's Notes
PHI = personal health information. 2 step operation: (i) identification of PHI; (ii) removal or substitution. Medical records can be said to be anonymised and/or de-identified when the risk is very small that information can be used alone or in combination with other reasonably available information to re-identify individuals associated with those records.
HIPAA = Health Insurance Portability and Accountability ActQuestion: are these categories designed for structured as opposed to unstructured data?Names is a catch-all category, and needs further decomposition into sub-categories to be recognised by the algorithm.Indirect identifiers for sub-categories of [Name] might be: names of health care providers: physicians, labs, and hospitals; employers; relatives.Also, what about brand names e.g. of drugs?
Use screen dump from Saman here.
Not simply a case of turning the field on or off e.g. turning off the “done by” field in the above record
2 proper names to capture here.
The second name has been missed because the algorithm is looking for capitals as a clue to proper names.
Preserving the geographical location may be important to the research question. Therefore our system will allow researchers with the right level of access rights to customize the de-identification.
PHI = Protected Health InformationANONYMISATION: stripping patient identifiersDE-IDENTIFICATION: substituting false identifiersMedical records said to be anonymised and/or de-identified when risk is very small that info can be used alone or in combo with other reasonably available info to re-identify individuals associated with those records.