Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-30326

Anonymization operations do not provide a way to supply context

    XMLWordPrintableJSON

    Details

    • Type: Change Request
    • Status: Resolved - change required (View Workflow)
    • Priority: Medium
    • Resolution: Persuasive with Modification
    • Specification:
      US Making EHR Data More available for Research and Public Health (MedMorph) (FHIR)
    • Raised in Version:
      0.1.0
    • Work Group:
      Public Health
    • Related Artifact(s):
      Generate Anonymized Bundle
      Generate De-Identified Bundle
      Generate Pseudonymized Bundle
      Generate Re-Identified Bundle
    • Related Page(s):
      Artifacts Summary
    • Related Section(s):
      15.0.2
    • Grouping:
    • Resolution Description:
      Hide

      An additional parameter will be added to the operation to specify the context which can communicate the salt values and/or the reporting program name or some other context that is necessary. This will be an optional parameter, because some implementations may just choose the salt values internally and maintain a single mapping.

      Show
      An additional parameter will be added to the operation to specify the context which can communicate the salt values and/or the reporting program name or some other context that is necessary. This will be an optional parameter, because some implementations may just choose the salt values internally and maintain a single mapping.
    • Resolution Vote:
      Kishore Bashyam / Craig Newman : 28 - 0 - 1
    • Change Category:
      Correction
    • Change Impact:
      Compatible, substantive

      Description

      Techniques for conducting privacy preserving record linkage (PPRL) typically rely on hashing or the construction of Bloom filters (which also relies on hashing). For these techniques to prevent re-identification, they rely on using a salt (or technically a pepper) value that is kept secret and added prior to hashing.

      The current definition of the FHIR operations does not offer a parameter that could be used to pass in any context for the operation, such as a salt value or a place to obtain the salt value.

      For re-identification, a similar issue applies. It is assumed that the Bundle will contain a set of identifiers that can be used to re-link to PII. Unless the Trust Service maintains a single mapping of identifiers to PII, there will be a need to specify which mapping to use. For example, a Trust Service may generate a new set of identifiers for individuals for each public health research question asked to prevent re-identification across studies. 

      Consider adding a parameter to these operations to allow specification of de/re-identification context.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              nageshbashyam Nagesh Bashyam
              Reporter:
              andy.gregorowicz Andy Gregorowicz
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Vote Date: