1 / 38

Anonymization of Health Care Data in Hungary

Anonymization of Health Care Data in Hungary. Zoltan Alexin, PhD., senior lecturer, University of Szeged, Dept. of Software Engineering Árpád tér 2. H-6720 Szeged, Hungary e-mail: alexin@inf.u-szeged.hu. Background and motivation. Since 2004

barney
Download Presentation

Anonymization of Health Care Data in Hungary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Anonymization of Health Care Data in Hungary Zoltan Alexin, PhD., senior lecturer, University of Szeged, Dept. of Software Engineering Árpád tér 2. H-6720 Szeged, Hungary e-mail: alexin@inf.u-szeged.hu Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  2. Background and motivation • Since 2004 • Surveying the current state of data protection concerning to health data • Understanding existing operating procedures • Bringing together all legal rulings relevant to the topic (international documents, constitution of Hungary, laws, decrees) • Studying practices in different EU countries Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  3. My position • „A magánszféra lényegi fogalmi eleme éppen az, hogy az érintett akarata ellenére mások oda ne hatolhassanak be, illetőleg be se tekinthessenek. Ha a nem kívánt betekintés mégis megtörténik, akkor nemcsak önmagában a magánélethez való jog, hanem az emberi méltóság körébe tartozó egyéb jogosultsági elemek, mint pl. az önrendelkezési szabadság vagy a testi-személyi integritáshoz való jog is sérülhet.” • The essence of the private sphere is just that no one can intrude into it against the data subject’s will, and even cannot get an insight into it. If an unwanted intrusion is taken place this may violate not only the right to the privacy but the right to human dignitythat includes the right to self-determination and the right to full bodily and personal integrity. (Hungarian Constitutional Court, decision 36/2005., pp. 390-400) Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  4. Summary • A democratic society may restrict right to self-determination by a law referring to legal, economic or national security reasons, or in the vital interests of others • The society may not restrict the right to self-determination by a law in general provision of care referring to health reasons • The society may not restrict my privacy rights in medical research generally • Restrictions may be applied exceptionally, in the higher level interests of the society (that is clearly demonstrated), by a law • Data processing for medical research may be done without consent (if obtaining consent is not feasible), but this must not mean a restriction to self-determination, must not question data protection rights of the data subject • He or she may object to processing in advance or afterwards, may require access to, copy, rectify, or delete data, if it has not already been anonymized, i.e. may withdraw his/her presumed consent Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  5. Goals • Establish and increase data protection awareness both in the institutions and in the public • Find and warn on contradictions in the legal rulings • Promote necessary modifications • Synthesize legal, ethical and information technology expertise • Getting to know and understand how systems work in foreign countries Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  6. Instruments • Basic human rights derived from human dignity • Right to self-determination • Privacy right – the right to be left alone • International medical ethics • Data protection laws Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  7. Recent results • Decree of the Health Minister on non-invasive medical research (Decree no. 1/2007) • Act on genetic examinations, genetic research and functioning of biobanks, ([Human genetic] law XXI. of 2008) • Decision of the Constitutional Court of Hungary 1034/E/2005.announced on 15 September 2008 • Decision of the Constitutional Court of Hungary 1076/B/2006.announced on 16 March 2009 Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  8. Content of my talk • Preliminaries • The long way to the Decree on non-invasive research • Some protection rulings in the new human genetic law • The decisions of the Constitutional Court • Questions of anonymization Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  9. Treaties of the Council of Europe • Hungary has signed and entered into force the following treaties: • Rome Treaty (European Convention on Human Rights), – Act XXXI. of 1993 • Strasbourg Treaty (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data), – Act VI. of 1998 • Ovideo Treaty (Convention for the protection of Human Rights and dignity of the human being with regard to the application of biology and medicine: Convention on Human Rights and Biomedicine), – Act VI. of 2002 Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  10. Some deterrent findings 1 • In Hungaryno preliminary data protectioninformation is given in the health system although it is a crime to be sentenced up to 3 years imprisonment since 1993 • In 2004 almost all database research was done without ethical approval, although it is a crime to be sentenced up to 5 years imprisonment since 1997 (obviously such research are done without consent of research subjects and might be unethical) Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  11. Some deterrent findings 2 • Hospital information systems provide uncontrolled and unlimited access to any entered data to any medical professional whoever log into the system where patient’s data are retained for unspecified time (and this is intentionally done by design) • Any researcher can obtain anyone’s medical data for research purposes, although when making a copy of the data, it must not contain the name, address, date of birth, birthplace, and social security number of him/her. Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  12. Hungarian moral basis in 2004 • The legal basis of the health data processing is the force of the law • Building up and access to centralized health databases are at the discretion of the leading power of the Parliament (the data processors of the databases regarding themselves above the law, do not think of complying with the law, the law services their requests, and amended when needed) • Written (explicit) consent is nowhere used in the health system • In consequence to this, taking part in database research is based on enforcement of the law not on voluntary consent Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  13. Health data protection in 2004 • Patients have several veto rights • Many times these rights are denied from them because: • The stuff do not even know these rights • The organizational structure cannot handle vetoes • The information systems are not designed to cope with vetoes • Although medical legal instruments did not contain this, patients may object against using their health data for research purposes according to the DPA, but the organizational system cannot handle such objection Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  14. The inter-institutional medical system of EHR (IKIR) in 2008 • A demonstration project started in 2007 finished in 2008 for creating a multi-institutional EHR system that provides access to patients data from different health institutions • After registration to the national eGoverment system patients may access to their data, print their data, restrict the use of their data, see access log of their data • A centralized directory contains references to all available documents that are stored physically at the member institutes • The health DPA gave patients the right to veto against joining health data relating to them • So the ministry amended the law, deleted the right to vetoagainst joining from the law – that means, any personal health data is sent to the system by the force of the law Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  15. Development of the legal framework for non-invasive medical research • Non-invasive research: database research, questionnaires, and analyzing human tissue samples • The Act on health no. CLIV. of 1997 declared, that any medical research can be done after ethical approval and after obtaining voluntary written consent of research subjects (equivocally with the Ovideo Treaty) • But the law did not make provisions for how get ethical approval • In 2002, when the Ovideo Treaty was entered into force, a decree of the health minister no. 23/2002. was issued on how to get ethical approval for invasive research • In 2005 another decree no. 35/2005. was issued on pharmacological research – restricted the publicity of the research, required permission from OGYI (National Institute of Pharmacy), and centralized ethical review Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  16. Protecting privacy in Medical Research • Although the Helsinki Declaration of the WMA on medical research was adopted in 1964, it did not mean a moral obligation for Hungarian physicians/ researchers even in 2006 (after 42 years) • Processing personal data (tissue) was not considered assuch research that shell be done ethically and by consent • Z. Alexin: Protecting Privacy in Medical Research, in LegeArtisMedicinae, Vol. 16. No. 6., pp. 594-597, in Hungarian (2006) • The above paper argued that ethical approval and consent is needed for non-invasive research as well Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  17. The controversial decree no. 1/2007. of the health minister • It requires ethical approval for non-invasive research • Defines the procedure of the approval • The Parliament amended the law on health and the decree ruled that no retrospective database research requires consent and informing the data subject about the intended data processing (the minister did not take into account the opinion of the Data Protection Commissioner) • The decree provides for to publicize several data of public interests of the approved research plans by the Research Ethics Committees • No ethics committees comply with this provision yet in 2009  Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  18. Human genetic act – preliminary steps • The ministry of health created a bill on human genetic examination and research in 2004 • There was a public consultancy on the bill which resulted in many concerns • Although the bill was sent to the Parliament but it did not put it on agenda Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  19. In the first version of the law • The basis of processing the genetic samples and data is a written informed consent • Prohibit discrimination of humans on their genetic features • Prohibit employers and insurance companies accessing to the genetic data of their employees • There were three kinds of samples: identified, coded and anonymized • Keys must be stored separately, but by the same health institution • The law does not deal with data protection • The question of legacy tissue samples (they can be stored in the biobanksasanonymized samples) • Protection of joined genetic and other health data Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  20. Anonymity of genetic data and samples • According to the DPA of Hungary, DNA is inherently personal data • It provides an unbreakable link to a person from whom the DNA is originated • The link still exist even after death, for at least 1000 years (if remains of the body can be found) • Forensic identification, DNA fingerprint • Therefore: • Genetic data can be anonym, if the data do not contain enough information to identify a person whom the data is related to • On the other hand, genetic sample cannot be anonym • Scrapping off the identifier from the vial containing biological sample is not a suitable method for anonymization, instead it is an attempt to question the access rights of the human subjects to their personal data • Since personal data must be kept during its storage time in a form, that data subjects may execute their access rights, I proposed to make a genetic fingerprint for each sample, or prohibit such type of anonymization (only destroying of the sample is allowed, when it is not needed). Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  21. Anonymization of samples restrict self-determination in the future • Patient consented to give an anonym genetic sample for medical research • Genetic data from the patient_102342 is accumulated in a public database • Later (10-20 yers after) the same patient may require genetic examination that includes testing some genes that can already be found in the database too • Matching these data together the previousely anonym genetic research data may be re-identified, and reveal unwanted information about the patient Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  22. Some concerns to the bill • Involve an independent key holder or giving key to the patient • Enhancing genetic privacy by adding a protecting time frame after death, if the sample is taken from a deceased people • Restrict the amount of genetic information being mined from one sample • More detailed consent • Ensuring that samples cannot be anonymized against patient’s will (DNA fingerprinting) • Legalizing legacy tissue archives by calling for consent • Separate genetic and other health data • Increase data protection responsibility • Samples can be destroyed but genetic data are stored by the force of the law Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  23. The adopted version of the bill • For further use of legacy genetic data and tissue archives the institutions shell call for consent within given period of time • Either the genetic data or sample can be asked for being deleted • In certain cases (pseudomization) the key to the data or sample is at the disposal of the subject • Paragraphs that prevent employers and insurance companies access to genetic data were removed Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  24. Decisions of theConstitutional Court • 1034/E/2005.: According to the Hungarian Constitution equivocally with the ECHR (Rome Treaty) a decree of the(health) minister cannot establish, augment, or modify data protection rules set out a the law • 1076/B/2006.: The Constitutional Court annulled paragraphs in two decrees of the health minister on prescriptions because the minister was not authorize by the law to extend the usage of some personal data (Social security identifier, ICD-10 code). The court also announced that the Hungarian National Health Insurance Fund is authorized to use the social security number (unique personal identifier) only for the purposes to handle personal data of those care provisions that are financed by the national health fund. Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  25. This page left intentionally blank. Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  26. Anonymization issues • Relative anonymity: the researchers having access to the data cannot directly identify the data subject • Absolute anonymity: never in the future, no one, having access to the data cannot personally identify the data subject taking into account all possible data having already been created or being created in the future relating to the data subject (DPA of Hungary) • Undoubted anonymity: there is no considerable doubt that data subject can be identified from the data (HIPAA) Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  27. De-identifying and coding • De-identification: removing personal identifiers from the data (name, address, birthplace, date of birth, social security identification number • Example of original data(NHS, SUS Service Consultancy) • De-identified data • Coding: replacing personal identifiers with a code string (letters and numbers) • Coded (pseudomyzed) data Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  28. Stronger de-identification – the HIPAA guidelines • Removing direct personal identifiers are not enough • HIPAA guidelines, enlist more components to be removed • Geographical locations (street, number, city, county) • ZIP code if denotes a region having less than 20000 inhabitants • Numbers (car plate, phone, e-mail, insurance identifier, account, medical record, driving license, …) • Dates (except years, age if it is greater than 89) • URL, IP address • (Medical) device identifiers, serial numbers • Biometric identifiers like photoes, voice prints, fingerprints Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  29. Encoding and encryption • In the information technology coding means a method that makes to access to any small piece of information in the data impossible • Not only the personal identifiers, but the whole data is encrypted • One need to have (one or two) keys to decrypt the data • Two-key systems allow reading the information when both keys (e.g. from patient and doctor) are present • Keys must be long, so as not to enable systematically trying out all possible keys for description • Applying keys is a one-way mathematical method that cannot be reversed normally (only with decryption key) • Applying keys transforms data into an unreadable byte series Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  30. Comparing the methods • Coding results in personal data and allows joining data relating to the same people together (slight protection) • Hungarian researchers may access to joined personal medical data that shall be de-identified if copied (very slight protection) • HIPAA guideline are not used in Hungary • Identifiable health data is deliberately sent electronically from one place to another without encryption • Computer networks in some cases are using encrypted communication methods to transfer data • GP-s have to send their monthly report to the national health insurance fund containing all ICD-10 codes of diseases and all prescriptions data about their identified patients on floppies in a human readable textual format Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  31. Scientific Journals • Due to the nature of their role, they are containing many additional information that helps to identify patients like: • Name of medical institutions • Departments of Hospitals/Clinics/Universities • Names of medical experts • Dates • References to cooperation, research projects Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  32. Single decimal number can be a key to identification • Imagine a scientific paper with the following settings • There is a table of vital parameters of the patients • If we know that patient #8 is man of 40 having lung cancer, then together with the name of the experts, the time frame of the research, the name of the clinics etc. • What if papers says that patient #8 carries a gene of a pschychyatric (sexual) disease? Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  33. Medical databases • Stripping the context from the data • Ensures more privacy than a paper • It presents a little risk to the privacy rights (mainly if data is processed in a foreign country) • But still can be assumed that by joining back to the original healthcare databases patients can be re-identified • A probabilistic distortion method was suggested by J. Gehrke (Cornell University, http://www.cs.cornell.edu/johannes/ Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  34. Anonymization by distortion • Adding a small (ε) probabilistic number (positive, negative or zero) to the values in the table • Can be mathematically tailored (customized) • Statistical properties of the attributes may remain the same • Data cannot be joined by simply testing equality of attributes • Concordance measure between two different attributes may be harmed • Bring in uncertainty even if values are the same Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  35. EuroSOCAP Project (FP6) • Anonymization places data outside the reach of the data protection principles. Administrators and researchers have a special interest to claim the data they are processing has been rendered anonymous in the terms of the 95/46/EC Directive. However, in these terms, personal data is only rendered anonymous if it is no longer possible for anyone to identify the data subject from the data itself or from this in combination with any other means that offer a reasonable likelihood of being able to reveal the identity of the data subject. Thus, for example, where a researcher holds data in a form that does not enable the researcher to identify the data subject, but someone else holds a code that enables that person to do so, the processing done by the researcher is not processing of data rendered anonymous. However, it is not unknown for researchers to claim that they are processing anonymized data when others, or even they themselves, can identify the data subject by various straightforward means. For example, researchers usually describe any data that does not have the subject’s name attached as anonymous. In practice, designating data as ‘anonymous’ is a value judgment, and researchers should not use the term at all, but simply describe the form in which the data will be kept and processed, leaving it to the Ethics Committees and data subjects to decide what significance that has. • European Standards on Confidentiality and Privacy in Healthcare, pages 18-19 Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  36. Strategy for data subjects • Avoid personal data related to them being stored(Avoidance from data being processed, Peter Schaar) • If personal data processing is necessary, then • At the quickest time, when data are not needed any longer ask for deletion of data • For the length of the retention time, keep data in identifiable form so as to be able to execute his rights to access to the data, follow the processing the data, etc. • The risk of breaching privacy rights is increasing as time elapse Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  37. Conclusion • The solution cannot be found in mathematics and law • All problems are questions of respecting others personal rights, questions of respecting human dignity • Article 8. of the European Convention on Human Rights could be a stable moral position • The Nürnberg Code and the Ovideo Treaty say the same: the moral and ethical basis of the medical research must be a consent – i.e. generally people cannot be forced to participate in a research by power of the law • Medical data belongs to the private sphere, like home • Usually the home of the people is not inspected for research purposes against the owner’s will Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

  38. Thank you for your attention! Z. Alexin: Anonymization of Health Care Data ... Tiss.EU Project Workshop 6-7 April, 2009

More Related