De-Identification

I suggest that this draft legislation incorporate an appropriate standard for de-identification, based on risk factors related to the potential for re-identification.  The HIPAA model represents at this point the most well-defined and sophisticated regulatory approach that I am aware of (there obviously are others, most of which also incorporate a risk based approach). The HIPAA rules incorporate a significant and carefully defined concept of de-identified information, whereby companies can make broader use of personal information that has been de-identified under this standard. This framework is designed to permit other beneficial secondary uses and disclosures of this information when privacy risks have been reduced to very small levels. I encourage incorporation of this kind of approach on a broader lever, to balance beneficial use of information with appropriate privacy protections.  I am not aware of (nor does the relevant literature define) any situation where an appropriately de-identified HIPAA data set as been re-identified.  While the HIPAA standard has not changed since it was adopted, it is a standard that must, operationally,  change with time, available data and context/situation, as the standard requires assessment of both new technology and additional data availability.  It also incorporates data protection components  beyond mere removal of data elements to include contractual controls and appropriate security protections as important components of de-identification.  In that sense it is a standard that adjusts over time to reflect different situations and new developments. I encourage inclusion of a standard incorporating these kinds of risk elements, as a means of permitting broader uses of data in situations where privacy risks are reduced, with these uses often (although clearly not always) reflecting important public goals including research, public health and other desirable activities.  I would also encourage consideration of one element that goes beyond HIPAA –  a prohibition on re-identification by entities receiving data that has been de-identified under this standard.