Patient Privacy Issues, Electronic Health Records, and De-Identified Data

Subject: Health IT
Pages: 4
Words: 1517
Reading time:
6 min

Annotated Bibliography

Kayaalp, M. (2018). Patient privacy in the era of big data. Balkan Medical Journal, 35(1), 8-17. Web.

The author has a Ph.D. degree in computer science and vast research interests, ranging from the implications of machine learning for medical informatics to cybersecurity issues within the healthcare field. His professional experiences include serving as the chief medical officer and participating in the development of the Integrated Advanced Information Management Systems project. The article explores patient data anonymization under HIPAA and critically reviews concerns regarding the underlying risks of sharing de-identified patient data for research and other purposes. Specifically, the source reviews the evolution of patient privacy concepts and examines the current de-identification strategies’ effectiveness with the help of the literature review method. The article explains the HIPAA security rules and the de-identification process in detail, which makes it relevant to the paper.

Murphy, S. (2015). Healthcare information security and privacy. McGraw-Hill Education. Web.

The author of this book, Sean Murphy, has a master’s degree in health services administration from Central Michigan University and a bachelor’s degree in human resource management from the University of Maryland. He has twenty years of experience as a healthcare information security expert and served as the Chief Information Security Officer during his time in the Air Force Medical Service. The author wanted to give information on how to provide health care while still maintaining the patient’s privacy. This book breaks down the different roles of those involved with providing health care. Murphy wrote this book so it could be used by experienced personnel in the healthcare information field and by new health information management workers. The chapters in this book that provide information on the risks to healthcare networks will be useful in my paper. HIPAA and the Privacy Act of 1974 are covered in this book and information on how to handle breaches in health information are discussed.

Wager, K. A., Lee, F. W., & Glaser, J. P. (2017). Health care information systems: A practical approach for health care management (4th ed.). Wiley. Web.

Two of the three authors of this book are professors at the Medical University of South Carolina (MUSC). They both served as the president of the South Carolina Healthcare Information and Management Systems Society (HIMSS) in the past. The third author has a Ph D in healthcare information management from the University of Minnesota. The authors wanted to educate future healthcare leaders with the knowledge and skills necessary to oversee information systems technology in this changing environment.

The book is well organized into four main parts with several chapters within them. Privacy and Security is discussed in chapter nine and that is the section that will be helpful in my paper. It provides information on HIPAA and on how to recognize threats to health care information, whether accidental or not. This chapter includes information about the legal protection of health care information, and it covers cybersecurity issues.


In the healthcare context, patient privacy is commonly listed among the fundamental human rights and serves as a measure of quality when it comes to new medical data management technology and improvements to electronic health record (EHR) applications. The Privacy Rule specified in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 sets privacy-related expectations. According to it, maintaining the right balance between consumer protection methods and granting access to health data for research purposes is the healthcare system’s crucial goal (Kayaalp, 2018). In the current data-sharing practices, the de-identified data of healthcare consumers can be shared with third parties for diverse purposes, including research and the establishment of decision support systems for providers (Kayaalp, 2018).

However, privacy breaches are possible even with de-identified or anonymized patient data. Considering the opportunities for re-identification, this situation is problematic and may require modern solutions. To maximize patient privacy in the EHR era, the U.S. Government should initiate the research of safer de-identification practices, including AI-based applications and EHR user engagement.


Patient privacy and providers’ ability to share healthcare consumers’ de-identified data has become a recognized issue recently. Even in the pre-EHR era, data sharing in the healthcare field was considered a crucial component of research, quality improvement, and patient care initiatives, including peer record review and academic training practices (Murphy, 2015). Data sharing between providers has been shown to save thousands of lives while also preventing extra healthcare expenses (Murphy, 2015). Data de-identification algorithms promoted by the National Institute of Standards and Technology and the HIPAA are positioned as conducive to patient privacy and risk-free data sharing (Murphy, 2015; Wager et al., 2017).

However, experts are concerned about vast opportunities for re-identification, and this fear’s root cause is likely to be linked with rapid technological development (Mandl & Perakslis, 2021). Specifically, advancements in AI technology could be the factor that contributes to the problem’s persistence. Therefore, the issue of rules related to sharing patients’ de-identified data under HIPAA affects a variety of parties, including researchers, healthcare providers, patients, and commercial third parties.

The one side of the argument

Making de-identified data treated similarly to protected and sensitive information will reduce opportunities for research instead of maximizing privacy, so maintaining and improving the effectiveness of current de-identification methods is preferable. Based on a review of studies that explore the opportunities for patient re-identification from their de-identified EHR data, Kayaalp (2018) demonstrates that the complete removal of demographic details as per HIPAA rules drastically reduces any privacy breach risks. In terms of genomic data from a public website, “the only successful method…for the re-identification…was using the birthdate, full ZIP code, and gender information” (Kayaalp, 2018, p. 12).

Protected health information is never shared without considering patients’ directions and permissions to maintain privacy (Murphy, 2015; Savage & Savage, 2020). Following the same procedures with large sets of already de-identified data could become a hindrance to national healthcare research and promote more fragmented scientific data. Furthermore, the promise of computational linguistics and AI for the improvement of de-identification applications is widely recognized (Kayaalp, 2018). Since the risks of patient re-identification from properly de-identified data are low, stricter data-sharing rules might be excessive.

The other side of the argument

Despite the arguments above, some researchers insist on the need for new legal protections for patients to prevent patient privacy breaches involving de-identified data. Specifically, Mandl and Perakslis (2021) claim that “treating de-identified data more similarly to protected health information,” including new contractual controls peculiar to sharing de-identified data with any commercial parties, will promote better outcomes (p. 2172).

Additionally, the authors propose the “behind the glass” access to data for outside parties, including any research agencies (Mandl & Perakslis, 2021, p. 2173). Finally, new provisions to prohibit any attempts to re-identify de-identified data are offered as a viable privacy maintenance measure (Mandl & Perakslis, 2021). The prohibition of re-identification attempts would involve incorporating one recent decision of health authorities in California at the national level to maximize the legal oversight of anonymous data use. To some degree, the suggestions may seem to be intuitively correct and patient-friendly. However, there is no sound research that would effectively demonstrate such provisions’ feasibility in terms of preventing actors with malicious intentions from misusing de-identified data.

Possible Solutions

Researching the means of producing and using de-identified health data without any risks to privacy breaches is recommended. The U.S. Federal Government should invest in new IT research projects to explore the potential of AI-powered de-identification and the opportunities for patient-involved anonymization. In de-identification tasks, AI might outperform human experts in terms of speed and consistency, minimizing the risks of a human error in data processing (Kayaalp, 2018). Another opportunity is exploring patient-involved de-identification, in which EHR users with adequate computer literacy would annotate their medical records to indicate non-PHI information that could reveal their identity (Kayaalp, 2018).

Such projects would help by taking the quality of de-identification to the next level. This solution’s positive aspects are the room for scientific discovery, the ability to enable patients to identify their personal privacy breach risks, and increasing de-identification productivity, whereas the negatives revolve around required investments. If these new EHR anonymization methods maximize privacy, research institutions in the U.S. will have fewer barriers to millions of de-identified records, resulting in further advancements in drug development and care provision. The subsequent optimization of healthcare costs is how the investment will be recouped.


Finally, to promote patient privacy without creating barriers to health research, the country’s authorities are recommended to explore the potential of new technology and patient engagement for data anonymization. In contrast to preventing the sharing of de-identified data as much as possible, the solution emphasizes the methods of making such data completely unusable for malicious purposes. However, it must be considered that achieving tangible results due to the proposed strategy might require time. At the same time, in the long-term perspective, the suggested research endeavors might improve healthcare researchers’ access to properly anonymized data that could not be re-identified, thus enabling new large-scale studies with real-life medical documents. This would help to maintain the standards of privacy while promoting the nation’s health through health research in enormous samples.


Kayaalp, M. (2018). Patient privacy in the era of big data. Balkan Medical Journal, 35(1), 8-17. Web.

Mandl, K. D., & Perakslis, E. D. (2021). HIPAA and the leak of “deidentified” EHR data. The New England Journal of Medicine, 384(23), 2171-2173. Web.

Murphy, S. (2015). Healthcare information security and privacy. McGraw-Hill Education. Web.

Savage, M., & Savage, L. C. (2020). Doctors routinely share health data electronically under HIPAA, and sharing with patients and patients’ third-party health apps is consistent: Interoperability and privacy analysis. Journal of Medical Internet Research, 22(9), e19818. Web.

Wager, K. A., Lee, F. W., & Glaser, J. P. (2017). Health care information systems: A practical approach for health care management (4th ed.). Wiley. Web.