Protecting patient geo-privacy via a triangular displacement geo-masking method

Protecting patient geo-privacy while allowing for valid geographic analyses of the data is a major challenge [1]. As a consequence, a variety of methods have been introduced to mask patients' locational information, also called geo-masking methods [2]. This study assessed the five main geo-masking methods as cited by [3] in terms of re-identification risk and performance. These five methods are Random Direction and Fixed Radius, Random Perturbation within a Circle, Gaussian Displacement, Donut Masking, and Bimodal Gaussian Displacement. Based on the assessment, the study highlighted two major gaps in the design of these geo-masking methods. First, all five geo-masking methods used only population density in calculating the displacement distances between the original locations of points and their new locations. However, other criteria that might be as important as population density were not considered in designing these five methods. These include data sensitivity, research types, quasi-indicator availability, previously generated maps availability, end-users' types, and the possibility of temporal synergy of data. Second, the Donut Masking and the Bimodal Gaussian Displacement methods were found to be superior in terms of minimizing re-identifying risks, but they were also found to be consuming much more processing power compared to the other three geo-masking methods. To address these gaps, this study proposed a new geo-masking method, called the "Triangular Displacement". The primary design, development, and evaluation of the Triangular Displacement method were based on the Design Science Research (DSR) Process Model [4], also known as DSRM. The expected next step is to implement the resultant geo-masking method as a tool to help healthcare data guardians de-identify large sets of PHR automatically. A pilot study with a large Southern Californian healthcare provider has been outlined to examine the efficacy of the developed solution.

[1]  Irene Casas,et al.  Protection of Geoprivacy and Accuracy of Spatial Information: How Effective Are Geographical Masks? , 2004, Cartogr. Int. J. Geogr. Inf. Geovisualization.

[2]  Jacqueline Warren Mills,et al.  Geospatial Analysis: A Comprehensive Guide to Principles, Techniques, and Software Tools, Second Edition - by Michael J. de Smith, Michael F. Goodchild, and Paul A. Longley , 2008, Trans. GIS.

[3]  A. Leyland,et al.  Empirical Bayes methods for disease mapping , 2005, Statistical methods in medical research.

[4]  Xun Shi,et al.  Kernel density estimation with geographically masked points , 2009, 2009 17th International Conference on Geoinformatics.

[5]  F. Benjamin Zhan,et al.  Considering Risk Locations When Defining Perturbation Zones for Geomasking , 2012, Cartogr. Int. J. Geogr. Inf. Geovisualization.

[6]  B. Fitzgerald Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule , 2015 .

[7]  Ashwin Machanavajjhala,et al.  Privacy: Theory meets Practice on the Map , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[8]  M. Leitner,et al.  A first step towards a framework for presenting the location of confidential point data on maps—results of an empirical perceptual study , 2006, Int. J. Geogr. Inf. Sci..

[9]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[10]  Andrew Curtis,et al.  Confidentiality risks in fine scale aggregations of health data , 2011, Comput. Environ. Urban Syst..

[11]  Khaled El Emam,et al.  Protecting privacy using k-anonymity. , 2008, Journal of the American Medical Informatics Association : JAMIA.

[12]  Dale L. Zimmerman,et al.  Quantifying the Effects of Mask Metadata Disclosure and Multiple Releases on the Confidentiality of Geographically Masked Health Data , 2007 .

[13]  J. Marc Overhage,et al.  Application of Information Technology: A Context-sensitive Approach to Anonymizing Spatial Surveillance Data: Impact on Outbreak Detection , 2006, J. Am. Medical Informatics Assoc..

[14]  Latanya Sweeney,et al.  Guaranteeing anonymity when sharing medical data, the Datafly System , 1997, AMIA.

[15]  Gerard Rushton,et al.  Geocoding in cancer research: a review. , 2006, American journal of preventive medicine.

[16]  P. Zandbergen Ensuring Confidentiality of Geocoded Health Data: Assessing Geographic Masking Strategies for Individual-Level Data , 2014, Advances in medicine.

[17]  G. Rushton,et al.  Geographically masking health data to preserve confidentiality. , 1999, Statistics in medicine.

[18]  William B Allshouse,et al.  Practice of Epidemiology Mapping Health Data: Improved Privacy Protection With Donut Method Geomasking , 2010 .

[19]  Robert P Kocher,et al.  Hospital readmissions and the Affordable Care Act: paying for coordinated quality care. , 2011, JAMA.

[20]  Leah K VanWey,et al.  Confidentiality and spatially explicit data: Concerns and challenges , 2005, Proceedings of the National Academy of Sciences of the United States of America.

[21]  Shannon C. Wieland,et al.  Revealing the spatial distribution of a disease while preserving privacy , 2008, Proceedings of the National Academy of Sciences.

[22]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[23]  Jill E Sherman,et al.  Confidentiality concerns with mapping survey data in reproductive health research. , 2007, Studies in family planning.

[24]  Nina H Fefferman,et al.  Confidentiality and Confidence: Is Data Aggregation a Means to Achieve Both? , 2005, Journal of public health policy.