The Risks to Patient Privacy from Publishing Data from Clinical Anesthesia Studies

In this article, we consider the privacy implications of posting data from small, randomized trials, observational studies, or case series in anesthesia from a few (e.g., 1–3) hospitals. Prior to publishing such data as supplemental digital content, the authors remove attributes that could be used to re-identify individuals, a process known as “anonymization.” Posting health information that has been properly “de-identified” is assumed to pose no risks to patient privacy. Yet, computer scientists have demonstrated that this assumption is flawed. We consider various realistic scenarios of how the publication of such data could lead to breaches of patient privacy. Several examples of successful privacy attacks are reviewed, as well as the methods used. We survey the latest models and methods from computer science for protecting health information and their application to posting data from small anesthesia studies. To illustrate the vulnerability of such published data, we calculate the “population uniqueness” for patients undergoing one or more surgical procedures using data from the State of Texas. For a patient selected uniformly at random, the probability that an adversary could match this patient’s record to a unique record in the state external database was 42.8% (SE < 0.1%). Despite the 42.8% being an unacceptably high level of risk, it underestimates the risk for patients from smaller states or provinces. We propose an editorial policy that greatly reduces the likelihood of a privacy breach, while supporting the goal of transparency of the research process.

[1]  Jonathan P Wanderer,et al.  Validation of a Risk Stratification Index and Risk Quantification Index for Predicting Patient Outcomes: In-hospital Mortality, 30-day Mortality, 1-year Mortality, and Length-of-stay , 2013, Anesthesiology.

[2]  José Luis Fernández Alemán,et al.  Security and privacy in electronic health records: A systematic literature review , 2013, J. Biomed. Informatics.

[3]  Franklin Dexter,et al.  Use of Discharge Abstract Databases to Differentiate among Pediatric Hospitals Based on Operative Procedures: Surgery in Infants and Young Children in the State of Iowa , 2003, Anesthesiology.

[4]  E. Steyerberg,et al.  Predicting the Unpredictable: A New Prediction Model for Operating Room Times Using Individual Characteristics and the Surgeon's Estimate , 2010, Anesthesiology.

[5]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[6]  Franklin Dexter,et al.  Statistical grand rounds: Importance of appropriately modeling procedure and duration in logistic regression studies of perioperative morbidity and mortality. , 2011, Anesthesia and analgesia.

[7]  Wei Zhao,et al.  Privacy-Preserving OLAP: An Information-Theoretic Approach , 2011, IEEE Transactions on Knowledge and Data Engineering.

[8]  A. Casadevall,et al.  Reproducible Science , 2010, Infection and Immunity.

[9]  Bradley Malin,et al.  Never too old for anonymity: a statistical standard for demographic data sharing via the HIPAA Privacy Rule , 2011, J. Am. Medical Informatics Assoc..

[10]  F. Dexter,et al.  What Is the Relative Frequency of Uncommon Ambulatory Surgery Procedures Performed in the United States with an Anesthesia Provider? , 2000, Anesthesia and analgesia.

[11]  Franklin Dexter,et al.  Estimating Surgical Case Durations and Making Comparisons Among Facilities: Identifying Facilities with Lower Anesthesia Professional Fees , 2013, Anesthesia and analgesia.

[12]  Josep Domingo-Ferrer,et al.  Inference Control in Statistical Databases, From Theory to Practice , 2002 .

[13]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[14]  F. Dexter,et al.  What Sample Sizes are Required for Pooling Surgical Case Durations among Facilities to Decrease the Incidence of Procedures with Little Historical Data? , 2002, Anesthesiology.

[15]  Franklin Dexter,et al.  Quantifying Effect of a Hospital’s Caseload for a Surgical Specialty on That of Another Hospital Using Multi-Attribute Market Segments , 2005, Health care management science.

[16]  F. Dexter,et al.  Calculating the probability of random sampling for continuous variables in submitted or published randomised controlled trials , 2015, Anaesthesia.

[17]  J. Ledolter,et al.  Influence of Procedure Classification on Process Variability and Parameter Uncertainty of Surgical Case Durations , 2010, Anesthesia and analgesia.

[18]  Jimeng Sun,et al.  Publishing data from electronic health records while preserving privacy: A survey of algorithms , 2014, J. Biomed. Informatics.

[19]  Franklin Dexter,et al.  Application of a Similarity Index to State Discharge Abstract Data to Identify Opportunities for Growth of Surgical and Anesthesia Practices , 2007, Anesthesia and analgesia.

[20]  F. Dexter,et al.  Optimizing the Arrival, Waiting, and NPO Times of Children on the Day of Pediatric Endoscopy Procedures , 2010, Anesthesia and analgesia.

[21]  L Sweeney,et al.  Weaving Technology and Policy Together to Maintain Confidentiality , 1997, Journal of Law, Medicine & Ethics.

[22]  Franklin Dexter,et al.  Differentiating among Hospitals Performing Physiologically Complex Operative Procedures in the Elderly , 2004, Anesthesiology.

[23]  Rob J. Hyndman,et al.  Encouraging replication and reproducible research , 2010 .

[24]  Heng Huang,et al.  No Silver Bullet: Identifying Security Vulnerabilities in Anonymization Protocols for Hospital Databases , 2012, Int. J. Heal. Inf. Syst. Informatics.

[25]  E. Mascha,et al.  Development and Validation of a Risk Quantification Index for 30-Day Postoperative Mortality and Morbidity in Noncardiac Surgical Patients , 2011, Anesthesiology.

[26]  B. Malin,et al.  Correction: A Systematic Review of Re-Identification Attacks on Health Data , 2015, PloS one.

[27]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..