zoltan alexin, phd., senior lecturer, university of szeged, dept. of software engineering Árpád...

Zoltan Alexin, PhD., senior lecturer,University of Szeged, Dept. of Software

EngineeringÁrpád tér 2. H-6720 Szeged, Hungary

e-mail: [email protected]

Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

Background and motivationSince 2004Surveying the current state of data

protection concerning to health dataUnderstanding existing operating proceduresBringing together all legal rulings relevant to

the topic (international documents, constitution of Hungary, laws, decrees)

Studying practices in different EU countries


My position„A magánszféra lényegi fogalmi eleme éppen az, hogy az

érintett akarata ellenére mások oda ne hatolhassanak be, illetőleg be se tekinthessenek. Ha a nem kívánt betekintés mégis megtörténik, akkor nemcsak önmagában a magánélethez való jog, hanem az emberi méltóság körébe tartozó egyéb jogosultsági elemek, mint pl. az önrendelkezési szabadság vagy a testi-személyi integritáshoz való jog is sérülhet.”

The essence of the private sphere is just that no one can intrude into it against the data subject’s will, and even cannot get an insight into it. If an unwanted intrusion is taken place this may violate not only the right to the privacy but the right to human dignity that includes the right to self-determination and the right to full bodily and personal integrity. (Hungarian Constitutional Court, decision 36/2005., pp. 390-400)


SummaryA democratic society may restrict right to self-determination

by a law referring to legal, economic or national security reasons, or in the vital interests of others

The society may not restrict the right to self-determination by a law in general provision of care referring to health reasons

The society may not restrict my privacy rights in medical research generally

Restrictions may be applied exceptionally, in the higher level interests of the society (that is clearly demonstrated), by a law

Data processing for medical research may be done without consent (if obtaining consent is not feasible), but this must not mean a restriction to self-determination, must not question data protection rights of the data subjectHe or she may object to processing in advance or afterwards,

may require access to, copy, rectify, or delete data, if it has not already been anonymized, i.e. may withdraw his/her presumed consent


GoalsEstablish and increase data protection

awareness both in the institutions and in the public

Find and warn on contradictions in the legal rulings

Promote necessary modificationsSynthesize legal, ethical and information

technology expertise Getting to know and understand how

systems work in foreign countriesZ. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

InstrumentsBasic human rights derived from human

dignityRight to self-determinationPrivacy right – the right to be left alone

International medical ethicsData protection laws


Recent resultsDecree of the Health Minister on non-invasive

medical research (Decree no. 1/2007)Act on genetic examinations, genetic research

and functioning of biobanks, ([Human genetic] law XXI. of 2008)

Decision of the Constitutional Court of Hungary 1034/E/2005. announced on 15 September 2008

Decision of the Constitutional Court of Hungary 1076/B/2006. announced on 16 March 2009


Content of my talkPreliminariesThe long way to the Decree on non-invasive

researchSome protection rulings in the new human

genetic lawThe decisions of the Constitutional CourtQuestions of anonymization


Treaties of the Council of EuropeHungary has signed and entered into force the

following treaties:Rome Treaty (European Convention on Human

Rights), – Act XXXI. of 1993Strasbourg Treaty (Convention for the

Protection of Individuals with regard to Automatic Processing of Personal Data), – Act VI. of 1998

Ovideo Treaty (Convention for the protection of Human Rights and dignity of the human being with regard to the application of biology and medicine: Convention on Human Rights and Biomedicine), – Act VI. of 2002


Some deterrent findings 1In Hungary no preliminary data protection

information is given in the health system although it is a crime to be sentenced up to 3 years imprisonment since 1993

In 2004 almost all database research was done without ethical approval, although it is a crime to be sentenced up to 5 years imprisonment since 1997 (obviously such research are done without consent of research subjects and might be unethical)


Some deterrent findings 2Hospital information systems provide

uncontrolled and unlimited access to any entered data to any medical professional whoever log into the system where patient’s data are retained for unspecified time (and this is intentionally done by design)

Any researcher can obtain anyone’s medical data for research purposes, although when making a copy of the data, it must not contain the name, address, date of birth, birthplace, and social security number of him/her.


Hungarian moral basis in 2004The legal basis of the health data processing is the

force of the lawBuilding up and access to centralized health databases

are at the discretion of the leading power of the Parliament (the data processors of the databases regarding themselves above the law, do not think of complying with the law, the law services their requests, and amended when needed)

Written (explicit) consent is nowhere used in the health system

In consequence to this, taking part in database research is based on enforcement of the law not on voluntary consent


Health data protection in 2004Patients have several veto rightsMany times these rights are denied from them

because:The stuff do not even know these rightsThe organizational structure cannot handle vetoesThe information systems are not designed to cope

with vetoesAlthough medical legal instruments did not contain

this, patients may object against using their health data for research purposes according to the DPA, but the organizational system cannot handle such objection


The inter-institutional medical system of EHR (IKIR) in 2008A demonstration project started in 2007 finished in 2008

for creating a multi-institutional EHR system that provides access to patients data from different health institutions

After registration to the national eGoverment system patients may access to their data, print their data, restrict the use of their data, see access log of their data

A centralized directory contains references to all available documents that are stored physically at the member institutes

The health DPA gave patients the right to veto against joining health data relating to themSo the ministry amended the law, deleted the right to veto

against joining from the law – that means, any personal health data is sent to the system by the force of the law


Development of the legal framework for non-invasive medical research

Non-invasive research: database research, questionnaires, and analyzing human tissue samples

The Act on health no. CLIV. of 1997 declared, that any medical research can be done after ethical approval and after obtaining voluntary written consent of research subjects (equivocally with the Ovideo Treaty)

But the law did not make provisions for how get ethical approval

In 2002, when the Ovideo Treaty was entered into force, a decree of the health minister no. 23/2002. was issued on how to get ethical approval for invasive research

In 2005 another decree no. 35/2005. was issued on pharmacological research – restricted the publicity of the research, required permission from OGYI (National Institute of Pharmacy), and centralized ethical review


Protecting privacy in Medical ResearchAlthough the Helsinki Declaration of the WMA on

medical research was adopted in 1964, it did not mean a moral obligation for Hungarian physicians/ researchers even in 2006 (after 42 years)

Processing personal data (tissue) was not considered as such research that shell be done ethically and by consent

Z. Alexin: Protecting Privacy in Medical Research, in Lege Artis Medicinae, Vol. 16. No. 6., pp. 594-597, in Hungarian (2006)

The above paper argued that ethical approval and consent is needed for non-invasive research as well


The controversial decree no. 1/2007. of the health ministerIt requires ethical approval for non-invasive research

Defines the procedure of the approval The Parliament amended the law on health and the

decree ruled that no retrospective database research requires consent and informing the data subject about the intended data processing (the minister did not take into account the opinion of the Data Protection Commissioner)

The decree provides for to publicize several data of public interests of the approved research plans by the Research Ethics Committees

No ethics committees comply with this provision yet in 2009


Human genetic act – preliminary stepsThe ministry of health created a bill on

human genetic examination and research in 2004

There was a public consultancy on the bill which resulted in many concerns

Although the bill was sent to the Parliament but it did not put it on agenda


In the first version of the lawThe basis of processing the genetic samples and data

is a written informed consentProhibit discrimination of humans on their genetic

featuresProhibit employers and insurance companies

accessing to the genetic data of their employeesThere were three kinds of samples: identified, coded

and anonymizedKeys must be stored separately, but by the same

health institutionThe law does not deal with data protectionThe question of legacy tissue samples (they can be

stored in the biobanks as anonymized samples)Protection of joined genetic and other health data


Anonymity of genetic data and samples According to the DPA of Hungary, DNA is inherently personal data It provides an unbreakable link to a person from whom the DNA is

originated The link still exist even after death, for at least 1000 years (if remains of

the body can be found) Forensic identification, DNA fingerprint Therefore:

Genetic data can be anonym, if the data do not contain enough information to identify a person whom the data is related to

On the other hand, genetic sample cannot be anonym Scrapping off the identifier from the vial containing biological sample

is not a suitable method for anonymization, instead it is an attempt to question the access rights of the human subjects to their personal data

Since personal data must be kept during its storage time in a form, that data subjects may execute their access rights, I proposed to make a genetic fingerprint for each sample, or prohibit such type of anonymization (only destroying of the sample is allowed, when it is not needed).


Anonymization of samples restrict self-determination in the futurePatient consented to give an anonym genetic

sample for medical researchGenetic data from the patient_102342 is

accumulated in a public databaseLater (10-20 yers after) the same patient may

require genetic examination that includes testing some genes that can already be found in the database too

Matching these data together the previousely anonym genetic research data may be re-identified, and reveal unwanted information about the patient


Some concerns to the billInvolve an independent key holder or giving key to the

patientEnhancing genetic privacy by adding a protecting time

frame after death, if the sample is taken from a deceased people

Restrict the amount of genetic information being mined from one sample

More detailed consentEnsuring that samples cannot be anonymized against

patient’s will (DNA fingerprinting)Legalizing legacy tissue archives by calling for consentSeparate genetic and other health dataIncrease data protection responsibilitySamples can be destroyed but genetic data are stored by

the force of the lawZ. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

The adopted version of the billFor further use of legacy genetic data and

tissue archives the institutions shell call for consent within given period of time

Either the genetic data or sample can be asked for being deleted

In certain cases (pseudomization) the key to the data or sample is at the disposal of the subject

Paragraphs that prevent employers and insurance companies access to genetic data were removed


Decisions of theConstitutional Court

1034/E/2005.: According to the Hungarian Constitution equivocally with the ECHR (Rome Treaty) a decree of the (health) minister cannot establish, augment, or modify data protection rules set out a the law

1076/B/2006.: The Constitutional Court annulled paragraphs in two decrees of the health minister on prescriptions because the minister was not authorize by the law to extend the usage of some personal data (Social security identifier, ICD-10 code). The court also announced that the Hungarian National Health Insurance Fund is authorized to use the social security number (unique personal identifier) only for the purposes to handle personal data of those care provisions that are financed by the national health fund.


This page left intentionally blank.


Anonymization issuesRelative anonymity: the researchers having access

to the data cannot directly identify the data subject

Absolute anonymity: never in the future, no one, having access to the data cannot personally identify the data subject taking into account all possible data having already been created or being created in the future relating to the data subject (DPA of Hungary)

Undoubted anonymity: there is no considerable doubt that data subject can be identified from the data (HIPAA)


De-identifying and codingDe-identification: removing personal identifiers

from the data (name, address, birthplace, date of birth, social security identification number

Example of original data (NHS, SUS Service Consultancy)

De-identified dataCoding: replacing personal identifiers with a

code string (letters and numbers)Coded (pseudomyzed) data


Stronger de-identification – the HIPAA guidelinesRemoving direct personal identifiers are not enoughHIPAA guidelines, enlist more components to be removed Geographical locations (street, number, city, county)ZIP code if denotes a region having less than 20000

inhabitantsNumbers (car plate, phone, e-mail, insurance identifier,

account, medical record, driving license, …)Dates (except years, age if it is greater than 89)URL, IP address(Medical) device identifiers, serial numbersBiometric identifiers like photoes, voice prints,

fingerprints


Encoding and encryptionIn the information technology coding means a method

that makes to access to any small piece of information in the data impossible

Not only the personal identifiers, but the whole data is encrypted

One need to have (one or two) keys to decrypt the dataTwo-key systems allow reading the information when

both keys (e.g. from patient and doctor) are presentKeys must be long, so as not to enable systematically

trying out all possible keys for descriptionApplying keys is a one-way mathematical method that

cannot be reversed normally (only with decryption key)Applying keys transforms data into an unreadable byte

seriesZ. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

Comparing the methodsCoding results in personal data and allows joining data

relating to the same people together (slight protection)Hungarian researchers may access to joined personal

medical data that shall be de-identified if copied (very slight protection)

HIPAA guideline are not used in HungaryIdentifiable health data is deliberately sent electronically

from one place to another without encryptionComputer networks in some cases are using encrypted

communication methods to transfer dataGP-s have to send their monthly report to the national

health insurance fund containing all ICD-10 codes of diseases and all prescriptions data about their identified patients on floppies in a human readable textual format


Scientific JournalsDue to the nature of their role, they are

containing many additional information that helps to identify patients like:Name of medical institutionsDepartments of Hospitals/Clinics/UniversitiesNames of medical expertsDatesReferences to cooperation, research projects


Single decimal number can be a key to identificationImagine a scientific paper with the following settingsThere is a table of vital parameters of the patients


Parameter 1 Parameter 2

Patient #8 4.56 5.17

Patient #9 3.03 6.12

If we know that patient #8 is man of 40 having lung cancer, then together with the name of the experts, the time frame of the research, the name of the clinics etc.

What if papers says that patient #8 carries a gene of a pschychyatric (sexual) disease?

Medical databasesStripping the context from the dataEnsures more privacy than a paperIt presents a little risk to the privacy rights

(mainly if data is processed in a foreign country)But still can be assumed that by joining back to

the original healthcare databases patients can be re-identified

A probabilistic distortion method was suggested by J. Gehrke (Cornell University, http://www.cs.cornell.edu/johannes/


Anonymization by distortionAdding a small (ε) probabilistic number

(positive, negative or zero) to the values in the table

Can be mathematically tailored (customized)Statistical properties of the attributes may

remain the sameData cannot be joined by simply testing equality

of attributesConcordance measure between two different

attributes may be harmedBring in uncertainty even if values are the same


EuroSOCAP Project (FP6) Anonymization places data outside the reach of the data protection

principles. Administrators and researchers have a special interest to claim the data they are processing has been rendered anonymous in the terms of the 95/46/EC Directive. However, in these terms, personal data is only rendered anonymous if it is no longer possible for anyone to identify the data subject from the data itself or from this in combination with any other means that offer a reasonable likelihood of being able to reveal the identity of the data subject. Thus, for example, where a researcher holds data in a form that does not enable the researcher to identify the data subject, but someone else holds a code that enables that person to do so, the processing done by the researcher is not processing of data rendered anonymous. However, it is not unknown for researchers to claim that they are processing anonymized data when others, or even they themselves, can identify the data subject by various straightforward means. For example, researchers usually describe any data that does not have the subject’s name attached as anonymous. In practice, designating data as ‘anonymous’ is a value judgment, and researchers should not use the term at all, but simply describe the form in which the data will be kept and processed, leaving it to the Ethics Committees and data subjects to decide what significance that has.

European Standards on Confidentiality and Privacy in Healthcare, pages 18-19


Strategy for data subjectsAvoid personal data related to them being stored

(Avoidance from data being processed, Peter Schaar)

If personal data processing is necessary, thenAt the quickest time, when data are not needed any

longer ask for deletion of dataFor the length of the retention time, keep data in

identifiable form so as to be able to execute his rights to access to the data, follow the processing the data, etc.

The risk of breaching privacy rights is increasing as time elapse


ConclusionThe solution cannot be found in mathematics and lawAll problems are questions of respecting others personal

rights, questions of respecting human dignityArticle 8. of the European Convention on Human Rights

could be a stable moral positionThe Nürnberg Code and the Ovideo Treaty say the same:

the moral and ethical basis of the medical research must be a consent – i.e. generally people cannot be forced to participate in a research by power of the law

Medical data belongs to the private sphere, like homeUsually the home of the people is not inspected for

research purposes against the owner’s will


Thank you for your attention!


zoltan alexin, phd., senior lecturer, university of szeged, dept. of software engineering Árpád...

Documents