Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-30326

Anonymization operations do not provide a way to supply context

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Medium Medium
    • US Making EHR Data More available for Research and Public Health (MedMorph) (FHIR)
    • 0.1.0
    • Public Health
    • Generate Anonymized Bundle
      Generate De-Identified Bundle
      Generate Pseudonymized Bundle
      Generate Re-Identified Bundle
    • Artifacts Summary
    • 15.0.2
    • Hide

      An additional parameter will be added to the operation to specify the context which can communicate the salt values and/or the reporting program name or some other context that is necessary. This will be an optional parameter, because some implementations may just choose the salt values internally and maintain a single mapping.

      Show
      An additional parameter will be added to the operation to specify the context which can communicate the salt values and/or the reporting program name or some other context that is necessary. This will be an optional parameter, because some implementations may just choose the salt values internally and maintain a single mapping.
    • Kishore Bashyam / Craig Newman : 28 - 0 - 1
    • Correction
    • Compatible, substantive

    Description

      Techniques for conducting privacy preserving record linkage (PPRL) typically rely on hashing or the construction of Bloom filters (which also relies on hashing). For these techniques to prevent re-identification, they rely on using a salt (or technically a pepper) value that is kept secret and added prior to hashing.

      The current definition of the FHIR operations does not offer a parameter that could be used to pass in any context for the operation, such as a salt value or a place to obtain the salt value.

      For re-identification, a similar issue applies. It is assumed that the Bundle will contain a set of identifiers that can be used to re-link to PII. Unless the Trust Service maintains a single mapping of identifiers to PII, there will be a need to specify which mapping to use. For example, a Trust Service may generate a new set of identifiers for individuals for each public health research question asked to prevent re-identification across studies. 

      Consider adding a parameter to these operations to allow specification of de/re-identification context.

      Attachments

        Activity

          People

            nageshbashyam Nagesh Bashyam
            andy.gregorowicz Andy Gregorowicz
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: