Professional Documents
Culture Documents
Group 2 Homework Compilation v3
Group 2 Homework Compilation v3
Session 4
Chapters 7 & 10 Questions
Kluge Article
Padman Article
Group 2
Judi Binderman, MD
Suzi Birz
Nicki Cliffer
Deborah Michaelson
Candyce Thompson
Chapters 7 & 10 Questions
How have some of the standards discussed in the
chapter (7) impacted policies and procedures on
the job for you or a colleague?
Some of the standards discussed in the chapter that have impacted the policies and
procedures on the job for the clinical staff where I work include nursing
terminologies from the North American Nursing Diagnosis Association (NANDA)
codes, the Nursing Interventions Classification (NIC) and the International Standards
Organization (ISO). These are some of the nursing organizations that have been
actively developing the standard coding systems for documenting and evaluating
nursing care. The Systematized Nomenclature of Medicine (SNOMED) has impacted
the policies and procedures also – it has evolved beyond an abstracting scheme to
become a comprehensive coding system. The Logical Observations, Identifiers,
Names and Codes (LOINC) originally created a naming system for tests and
observations and have extended to include non-laboratory observations such as
vital signs and electrocardiograms.
The use of these codes for billing has in turn had an impact on the policies and
procedures related to physician documentation. For billing purposes, there are
specific rules related to the use of these codes. If the codes are not supported by
appropriate provider documentation, the bill is considered fraudulent. Health care
provider procedures are in place to require appropriate documentation. Audit
teams are in place to due scheduled and routine audit of the documentation to
ensure compliance with the federal and state billing rules and the policies and
procedures.
Of all of the standards discussed, the Health Insurance Portability and Accountability
Act (HIPAA) has had the most impact on the policies and procedures. There is a
huge concern regarding privacy and the standards for the electronic transmission of
patient’s information. HIPAA directly affects healthcare providers all across the
2
nation. HIPAA has altered the way the healthcare sector does business and will
cause a culture change. Additionally, data-interchange standards have impacted the
policies and procedures for clinicians as well.
Provider and payor organizations have implemented privacy and security policies to
become and remain compliant with the Health Insurance and Portability
Accountability Act (HIPAA). These policies address administrative and clinical
activities of the organization. As with many federal and state regulations, non-
compliance can result in fines and imprisonment.
As a result, the procedure for first contact with a patient at the organization was
changed. Now, when a patient first arrives at the organization, s/he is provided the
organizations privacy policy, called the Notice of Privacy Practices. There is even a
procedure for the distribution. The brochure must be handed to the patient or
guardian, the patient must sign a document acknowledging receipt of the
document, and the acknowledgement must be filed, scanned or otherwise tracked
to provide an audit trail that the Notice was provided to the patient.
Another impact from HIPAA has to do with the sign-in procedure at any clinical area
– laboratory, physician office, ambulatory surgery desk, etc. Many of the
organization’s desk used to have sign-in sheets indicating the patient’s name and
sometimes the physician or procedure. HIPAA required that this procedure be
examined to ensure that only the minimum necessary information be present on
that sheet. This same concept applies to “calling for the patient”. For instance,
the organization does call the patient by name, but does not announce the
physician as that may be an indication of the patient’s medical condition.
Clinicians are impacted as well. When a surgeon arrives at the waiting room to
speak with the family, they all proceed to a private room to discuss the surgery and
condition of the patient. This procedure is required to protect the patient’s privacy
from the rest of the people in the waiting room.
When a clinician has lab results and receives voicemail, care must be taken as to
how much information can be left on the message. The physician’s office procedure
has been changed to secure permission from the patient to leave a message at one
number. This information is noted in the patient’s chart. This ensures that
information related to recent exams or labs is not left on a voicemail that can be
accessed by a spouse or other family member if the patient wants to be the first to
receive the information.
HIPAA and the electronic medical record (EMR) have a challenging relationship.
Limiting this discussion to one example, consider the employee with access to the
EMR and a friend waiting for results. Organizations have implemented strict policies
and procedures – with corrective action measures – for employees that, even with
the best of intentions – access the computer system and the medical information of
someone not under their care.
3
The need to interconnect health care applications and transmit data from one
system to another in a seamless manner has become critically important. However,
not all healthcare providers must comply with the privacy and security regulations.
The regulations make a distinction between those that use electronic transmission
of data and those that don't. There are no distinctions between sizes of healthcare
providers when it comes to HIPAA compliance. The only exception is that mental
health providers must follow special, more stringent rules.1 For example some
organizations purchased occlusive labels for the nurses to place over the patient
specific IV label before they discarded the empty IV bag so as to comply with HIPAA.
Another group of businesses that have a direct impact from HIPAA are Business
Associates of the covered entity. A Business Associate is an individual or entity that
receives protected health information (PHI) from a covered entity, such as a medical
practice, so that the business associate may perform services or functions, or assist
in the performance of services or functions, on behalf of the covered entity.2 HIPAA
mandates the covered entity require a Business Associate to sign a Business
Associate Agreement. This agreement includes parties that normally do not fall
under the definition of a covered entity into the HIPAA regulations. The agreement
requires the Business Associate to offer the same protection of the data as the
covered entity and it is a contract enforceable in court. If the Business Associate
does not sign the agreement or fails to protect the data, HIPAA requires the covered
entity to terminate relationship with the Business Associate.
• Lawyers
• Accountants
• Consultants
• Billing Companies
• Collection Agents
• Practice Managers
• Medical Transcription Service
2
An employee of the covered entity or a member of the covered entity's own
workforce is not considered a business associate. Independent contractors are
Business Associates. Also, other health care providers to whom covered entities
disclose PHI for treatment purposes are considered business associates.
The public is also playing a major role is how some standards, such as HIPAA has
impacted policies and procedures on the job as well. As the public becomes more
HIPAA aware, they will expect if not demand privacy compliance. For example, if
you were to seek care from a medical provider and one says they are HIPAA
complaint and follow the guidelines, but the other does not and has no intention of
complying voluntarily, which one would you go to? Same applies to a firm like a
lawyer. Suppose you needed an attorney to represent you in a conversation that
included your personal medical history, which law firm would you use, one that is
HIPAA certified or one that is not?
References
1. HIPAAps Privacy & Security. Who is affected by HIPAA? Retrieved January,
2009, from www.hipaaps.com/whoIsAffected.html .
2. IBID.
3
What are ANSI, IEEE, HL7 and WHO? What are their
various roles in creating standards?
ANSI: Since 1918, the American National Standards Institute (ANSI) has been
coordinating the activities leading to United States voluntary standards systems.
ANSI facilitates the formation of standards in the United States by accrediting the
procedures of standards developing organizations (SDOs), government agencies,
consumer groups, companies, and others. These standards ensure consistency in
characteristics and performance of products, use of definitions and terms, and
product testing. ANSI accreditation signifies that the procedures used by standards
setting organizations meet the Institute's requirements for openness, balance,
consensus, and due process. ANSI promotes the use of U.S. standards
internationally, advocates U.S. policy and technical positions in international and
regional standards organizations and encourages the adoption of international
standards as national standards where appropriate.
2
One of the organization’s strategies is to develop a formal methodology to support
the creation of HL7 standards from the HL7 Reference Information Model (RIM). The
RIM is a large pictorial representation of clinical data (domains) and identifies the
life cycle of events that a message or groups of related messages will carry. It is a
shared model between all the domains and as such, is the model from which all
domains create their messages. The RIM represents the connections that exist
between the information carried in the fields of HL7 messages and is essential to
HL7’s ongoing mission of increasing precision and reducing implementation costs.
"Level Seven" refers to the highest level of the International Organization for
Standardization (ISO) communications model for Open Systems Interconnection
(OSI) – the application level. The application level addresses definition of the data
to be exchanged, the timing of the interchange, and the communication of certain
errors to the application. The seventh level supports such functions as security
checks, participant identification, availability checks, exchange mechanism
negotiations and, data exchange structuring.
The majority of entries refer to prescription-only products, but some are over-the-
counter (OTC) or pharmacist-dispensed. Biotech and blood products, diagnostic
substances and contrast media are also entered in the dictionary.
References
3. IEEE Standards Association. Frequently Asked Questions. Retrieved January,
2009, from http://standards.ieee.org/faqs/sa-faq.html#q1.
4. http://www.hl7.org/
5. WHO Drug Dictionary Enhanced, retrieved January 2009 from http://www.umc-
products.com/DynPage.aspx?id=2829
6. ANSI.org
7. Wikipedia, http://en.wikipedia.org/wiki/ANSI, accessed 1/28/09.
8. IEEE.org
3
Physician assisted suicide (PAS) refers to the physician's act of providing
medication, a prescription, information, or other interventions to a patient with the
understanding that the patient intends to use them to commit suicide. PAS is legal
in the Netherlands, Belgium, and Switzerland. In the United States, PAS is legal only
in the State of Oregon.
Consider the case of a 67 year old patient with terminal lung cancer. This patient
has undergone multiple courses of chemotherapy and radiation without success. At
this point, all that can be offered is palliative care; death is inevitable. The patient
declines Hospice. The patient’s pain is not controlled, in spite of pain medication.
The patient asks the physician for a prescription for a large quantity of opioid pain
medication. The patient takes the prescription to the pharmacy. The pharmacist
contacts the physician to question the dosage, but is told “It is none of your
business.” The pharmacist refuses to fill the prescription and places a notation in
the computer system to alert other pharmacists of their suspicion.
References:
2
1. American Society of Health-System Pharmacists. ASHP statement on
pharmacist’s decision-making on assisted suicide. Am J Health-Syst. Pharm.1999;
56:1661–4.
2. Emanuel, EJ. Euthanasia. Historical, ethical, and empiric perspectives. Arch Intern
Med 1994; 154:1890
3. Fried, TR, Stein, MD, O'Sullivan, PS, et al. Limits of patient autonomy. Physician
attitudes and practices regarding life-sustaining treatments and euthanasia. Arch
Intern Med 1993; 153:722
4. Psychology, Public Policy & Law. June, 2000. v6, number 2. The entire issue is
devoted to articles on PAS including "A Continued Debate About Hastened Death" B.
Andrew; "Misconceived Sources of Opposition to Physician-Assisted Suicide" D.
Brock; "Requests of Physician-Assisted Death: Guidelines for Assessing Mental
Capacity and Impaired Judgment" J. Werth et al; "Factors to Consider Before
Participating in a Hastened Death: Issues for Medical Professionals" S. Jamison
5. "Assisted Suicide and the Inalienable Right to Life." Daniel Avila. Issues in Law &
Medicine. Fall 2000. v.16; n.2: p.111-141.
3
Electronic Medical Records:
An Automatic Breach of Ethics?
Ethics and Confidentiality in the Age of Electronic Medical Records
Introduction
In the paper by E-H. W. Kluge, he states that the popular belief that data extraction
(secondary use of data) from Electronic Medical Records (EMR) requires a specific
informed consent is limited by four ethically-based arguments:
1. When use of the data without specific consent creates obstacles for
healthcare providers to carry out their mandates (presumably those of
patient care and population care)
2. When use of the data without specific consent prevents the creation and
maintenance of a health care system as a starting point
3. When use of data without specific consent seriously inhibits the ability for
equal and competing rights, and
4. When use of the data without specific consent makes bona fide research
impossible.i
Kluge walks through the logic behind each of these scenarios, and applies the
principles of ethics to support specific limitations that apply to use of secondary
data, and the lack of specific informed consent. He concludes with several possible
options to obtaining a somewhat global consent to information use to mitigate
violation of ethics in these situations.
Discussion
Perhaps the most meaningful moment in a young physician’s career is when he or
she takes the Hippocratic Oath (or the Oath of Maimonides), in which he pledges to
abide by a system of ethical statements developed primarily for the benefit of the
patient. As a member of this profession, a physician must recognize responsibility to
patients first and foremost, as well as to society, to other health professionals, and
to self.ii Of the 9 ‘codes’ outlined by these oaths and the American Medical
Association, (see Appendix A), the two that are most germane to the use of
secondary data contained in a medical record (paper OR electronic) are #5 [A
physician shall continue to study, apply, and advance scientific knowledge, maintain
a commitment to medical education, make relevant information available to
patients, colleagues, and the public, obtain consultation, and use the talents of
other health professionals when indicated] and # 7 [A physician shall recognize a
2
responsibility to participate in activities contributing to the improvement of the
community and the betterment of public health].
If one ascribes to the principle of autonomy, the right that all persons have to self-
determination, then patients should in general, be able to indicate which parties
have access to which pieces of information. And, in general practice, there are
some items which are specifically required to have direct consent for their
dissemination, such as HIV results. This can pose an obstacle to transitions in care,
for instance, when referring a patient to a specialist. If the patient requests that NO
information be provided, the new care provider must essentially start from scratch.
This principle is perhaps the most often over-ridden in cases when emergency care
must be provided, and records are ‘unlocked’ without specific consent. Similarly, if
a patient refuses use of secondary data, then any unusual or abnormal items in
his/her history, medical condition or current state of health are unavailable to be
utilized for aggregate knowledge.
If one subscribes to the principle of non-malfeasance, which ascertains that all have
the duty to prevent harm, this would apply to both physicians AND patients.
Physicians would want to utilize secondary data about their population to further
research knowledge to prevent future harm, and patients should also want to do
anything in their power to help prevent harm to others, in this case, by allowing
secondary data to be utilized for research purposes. The promise that must be
agreed to by both parties is that the use of the secondary information in and of
itself shall not bring harm to any individual who provided access to that information,
or was the ‘source’ of that information. This would bring into play many of the
HIPAA requirements for privacy protection and safeguarding of confidential
information.
3
The principle of equality states that all persons are equals, and have the right to be
treated as such. Medical research has indicated that many conditions act
differently depending on the patient’s socioeconomic status, race or environment.
This would preclude the idea that hypertension, for example, should be treated in
everyone the same way—in fact, hypertension is more prevalent in African-
American males, and is often more malignant and difficult to control in this
population. Thus, knowing more about a patient’s specific condition is important for
the best practices in treatment, and this ‘population-dependent’ knowledge only
continues to improve and expand through the use of secondary data from medical
records.
The final principle of ethics most germane to this discussion is that of beneficence-
everyone having a duty to advance to the good of others. Again, this would most
broadly argue that providing data to further research and best practices would be a
compelling argument to patients to allow such secondary data use.
Creating a satisfactory balance between these ethical principles and those of the
code of conduct imposed upon medical providers would seem to be a difficult task
when one then considers the tenets of HIPAA…the Health Insurance Portability and
Accountability Act. This act, passed in 1996, required the Department of Health and
Human Services (HHS) to establish national standards for electronic health care
transactions and national identifiers for providers, health plans, and employers. It
also addressed the security and privacy of health data.
As the health care industry adopts technology, the efficiency and effectiveness of
the nation's health care system will demand improved use of electronic data
interchange. iv As a result of increasing technological dependence, CMS (Center for
Medicare and Medicaid Services) has been authorized to enforce the security
standards, and has written new guideline documents to cover newer technologies,
2
increasing use of mobile means to gather and distribute protected health
information, and maintaining adequate security measures for covered entities.
Not only are new technologies being utilized in healthcare; new roles of personnel
are being created. Perhaps the most integrally involved are the Healthcare
Informatics Professionals (HIPs). The International Medical Informatics Association,
established in 1989, has realized the multiple relationships that HIPs have with
data, healthcare providers and patients. As such, it has adopted a code of ethics
unique and specific to HIPs, encompassing the many facets of the role. See
Appendix B for this code. The various delineations under the category of ‘Duties to
Society’ include the HIPs duty to facilitate appropriate “collection, storage,
communication, use and manipulation of health care data that are necessary for the
planning and providing of health care services on a social scale.v The very next
tenet in that same section is the responsibility to ensure only appropriate data are
collected, the data is de-identified and rendered as anonymous as possible and that
only authorized personnel have access to relevant data. This would represent a
dramatic step forward to reconciling the need for gathering secondary data with
protecting the ethical rights of all parties involved.
We believe that the complexity of this entire topic will only continue to grow, as
methods and delivery models of health care and research continue to evolve, and
as technology assumes its place front and center. It is only with the continued
debate of the various approaches and points of view that the best compromise to
protect involved parties and advance knowledge can be reached.
3
Appendix A: AMA Code of Ethics
Preamble
III. A physician shall respect the law and also recognize a responsibility to
seek changes in those requirements which are contrary to the best
interests of the patient.
IV. A physician shall respect the rights of patients, colleagues, and other
health professionals, and shall safeguard patient confidences and privacy
within the constraints of the law.
VIII. A physician shall, while caring for a patient, regard responsibility to the
patient as paramount.
IX. A physician shall support access to medical care for all people.
2
Appendix B: Excerpt from IMIA Code of Ethics for
Health Information Professionals
A. Subject-centred duties
These are duties that derive from the relationship in which HIPs stand to the
subjects of the electronic records or to the subjects of the electronic
communications that are facilitated by the HIPs through their professional actions.
1. HIPs have a duty to ensure that the potential subjects of electronic records are
aware of the existence of systems, programs or devices whose purpose it is to
collect and/or communicate data about them.
2. HIPs have a duty to ensure that appropriate procedures are in place so that:
3
5. HIPs have a duty to ensure that the subject of an electronic record is aware of
any rights that he or she may have with respect to
7. HIPs have a duty to treat the duly empowered representatives of the subjects of
electronic records as though they had the same rights concerning the electronic
records as the subjects of the record themselves, and that the duly empowered
representatives (and, if appropriate, the subjects of the records themselves) are
aware of this fact.
8. HIPs have a duty to ensure that all electronic records are treated in a just, fair
and equitable fashion.
9. HIPs have a duty to ensure that appropriate measures are in place that may
reasonably be expected to safeguard the
a. security,
b. integrity,
c. material quality,
d. usability, and
e. accessibility of electronic records
2
10. HIPs have a duty to ensure, insofar as this lies within their power, that an
electronic record or the data contained in it are used only
a. for the stated purposes for which the data were collected, or
b. for purposes that are otherwise ethically defensible.
11. HIPs have a duty to ensure that the subjects of electronic records or
communications are aware of possible breaches of the preceding duties and the
reason for them.
a. to assist duly empowered HCPs who are engaged in patient care in having
appropriate, timely and secure access to relevant electronic records (or parts
of thereof), and to ensure the usability, integrity, and highest possible
technical quality of these records; and
b. to provide those informatic services that might be necessary for the HCPs
to carry out their mandate.
2. HIPs should keep HCPs informed of the status of the informatic services on which
the HCPs rely, and immediately advise them of any problems or difficulties that
might be associated or that could reasonably be expected to arise in connection
with these informatic services.
3. HIPs should advise the HCPs with whom they interact on a professional basis, or
for whom they provide professional services, of any circumstances that might
prejudice the objectivity of the advice they give or that might impair the nature or
quality of the services that they perform for the HCPs.
5. HCPs who are directly involved in the construction of electronic records may have
an intellectual property right in certain formal features of these records.
Consequently, HIPs have a duty to safeguard
3
in which the HCP has, or may reasonably be expected to have, an intellectual
property interest.
a. competence,
b. diligence,
c. integrity, and
d. loyalty
2. HIPs have a duty to
4. HIPs have a duty to alert, in good time and in a suitable manner, appropriately
placed decision-makers of the security- and quality-status of the data-generating,
storing, accessing, handling and communication systems, programs, devices or
procedures of the institution with which they are affiliated or of the employers for
whom they provide professional services.
5. HIPs should immediately inform the institutions with which they are affiliated or
the employers for whom they provide a professional service of any problems or
difficulties that could reasonably be expected to arise in connection with the
performance of their contractually stipulated services.
6. HIPs should immediately inform the institutions with which they are affiliated or
the employers for whom they provide a professional service of circumstances that
might prejudice the objectivity of the advice they give.
2
8. HIPs should only use suitable and ethically acquired or developed tools,
techniques or devices in the execution of their duties.
a. collection,
b. storage,
c. communication,
d. use, and
e. manipulation
of health care data that are necessary for the planning and providing of health care
services on a social scale.
a. only data that are relevant to legitimate planning needs are collected;
b. the data that are collected are de-identified or rendered anonymous as
much as possible, in keeping with the legitimate aims of the collection;
c. the linkage of data bases can occur only for otherwise legitimate and
defensible reasons that do not violate the fundamental rights of the subjects
of the records; and
d. only duly authorized persons have access to the relevant data.
3. HIPs have a duty to educate the public about the various issues associated with
the nature, collection, storage and use of electronic health-data and to make
society aware of any problems, dangers, implications or limitations that might
reasonably be associated with the collection, storage, usage and manipulation of
socially relevant health data.
4. HIPs will refuse to participate in or support practices that violate human rights.
5. HIPs will be responsible in setting the fee for their services and in their demands
for working conditions, benefits, etc.
E. Self-regarding duties
HIPs have a duty to
3
3. maintain competence,
4. take responsibility for all actions performed by them or under their control,
5. avoid conflict of interest,
6. give appropriate credit for work done, and
7. act with honesty, integrity and diligence.
2. HIPs have a duty to assist in the development of the highest possible standards
of professional competence, to ensure that these standards are publicly known, and
to see that they are applied in an impartial and transparent manner.
3. HIPs will refrain from impugning the reputation of colleagues but will report to the
appropriate authority any unprofessional conduct by a colleague.
4. HIPs have a duty to assist their colleagues in living up to the highest technical
and ethical standards of the profession.
2
i
Informed Consent to the Secondary Use of EHRs: Informatic rights and their limitations,
E-H.W. Kluge, MEDINFO 2004, M. Fieschi et al. (Eds), Amsterdam: IOS Press, 2004.
ii
http://www.ama-assn.org/ama/pub/category/2512.html, “Principles of Medical
Ethics”, accessed 1/26/09.
iii
http://plato.stanford.edu/entries/ethics-computer/, accessed 1/26/09.
iv
http://www.cms.hhs.gov/HIPAAGenInfo/01_Overview.asp, accessed 1/26/09.
v
http://www.imia.org/ethics.lasso, accessed 1/26/09.
To meet the objectives of retaining data confidentiality, Boyens et al. illustrate two stages
of the mediator data-handling process. In data release 1, the mediator obtains the data in
a way that protects the identity of the individual (they obtain measures of central
tendency and dispersion). Data release 2 is the release of mediator-analyzed aggregated
data, usually in the form of a report, released in such a way that the individual’s, or the
organization’s confidentiality and privacy is preserved.
By avoiding the collection of raw data from the data owners, the data are less likely to be
subject to threats such as external attacks on the service provider’s database, malicious
attacks, data corruption due to incompetence, or the chance that due to changes of
ownership within the organization, the raw data may fall into competitors’ or other
inappropriate hands. To avoid these potential threats, Boyens et al. discuss encrypting
the data (which reduces the mediator’s ability to read and therefore analyze the data), or
de-identifying the data such that one can no longer link the data record to an individual
owner. This data-treatment would still permit the calculation of measures of central
tendency, but would not provide a means to evaluate how organizations rate or rank in
relation to each other. The third option mentioned is to give the data to a trusted third-
party mediator who uses the data to produce reports, but does not then store the data
long term.
Interval Inference refers to when “a database attacker is able to infer an accurate enough
interval when he or she may not infer an exact value of the sensitive attribute”. The
“interval” in question, is then referred to as the inference interval (Li et al., 2002). These
investigators use an ‘auditing approach’ to limit the capability of analyzing published
data in order to obtain sensitive or private information. “By auditing, all queries made by
each user are logged and checked for possible inference before the results of new
queries are released.”
Suggested Solutions
The first approach to reducing the risk of breaching data confidentiality is careful initial
treatment of the data to ensure record anonymization “preventing the re-identification of
real-world entities from a published table whose records represent individuals” where no
personal names, addresses, or birthdates appear in the data (Boyens et al., 204b). A
number of methods of reducing the capability of obtaining confidential information are
cited in Li et al. (2002). Some of these inference control options include controlling query
sets (restricting size, controlling overlap), suppressing query results, using different
sampling techniques, and additionally, adding variability (noise) to the source data.
To avoid the breach of privacy due to further analysis of reported data, organizations can
specify a maximum disclosure risk for each of the sensitive descriptive data cells in a
table displayed in the report (Boyens et al., 2004a). These criteria are set prior to data
release 1 when the data are given to the mediator for analysis. The maximum disclosure
risk criteria could include specific guidelines about the widths of the cell intervals,
(perhaps a specified numerical range around the true mean) or a specification of
minimum information entropy. In the event that the risk criteria are met (even within one
cell of the table showing the descriptive statistics); then the data containing the identified
risk criterion cannot be published. The method of assessing whether the data are subject
to a risk of disclosure is called “disclosure detection” or “disclosure audit” (Boyens et al.,
2004).
Li et al. (2002) caution that when auditing data, it is important to account for the impact
of boundary information and different types of data on interval-based inference which is
something that ‘audit experts’ do not do when they audit for exact inference. They note
that it is possible to audit interval-based inference, but it requires the use of complex
calculations to do so.
The suppression of information would not add a biasing factor since it uniformly reduces
information. For example, instead of using the arithmetic mean in reporting, a rounded
mean would be reported (selecting a specific interval width that makes sense for the
data). Additionally, instead of reporting the standard deviations associated with the
arithmetic mean, a less specific measure of spread than a standard deviation (for
example, a range) would be reported. A range is based on two data points (max and min)
and so provides less information than does a standard deviation which is based on all the
data points. The authors note that it is important to reduce or suppress the data in a
manner that “limits disclosure with [the] least data utility loss possible”. They reference
an “audit and aggregate” algorithm that they developed which enables the comparison
between privacy and data utility tradeoffs for mediator analyzed data and data
warehouse collated data, model shown below (Boyens et al, 2004b).
In this model, data is audited on a continuous basis, and is iteratively aggregated and
suppressed if upon analysis; there is a significant risk of disclosure detection.
References
Claus Boyens, Ramayya Krishnan, and Rema Padman. (2004a). Privacy-Preserving Data
Releases for Health Report Generation. In MEDINFO 2004. M. Dieschi et al. (eds)
Amsterdam: IOS Press
http://www2.computer.org/plugins/dl/pdf/proceedings/hicss/2004/2056/06/205660135a.p
df?template=1&loginState=1&userData=anonymous-IP1233194125513 downloaded
1/27/09
Yingjiu Li, Lingyu Wang, X. Sean Wang, Sushil Jajodia. (2002). Auditing interval-based
inference. In Proceedings of the 14th Conference on Advanced Information Systems
Engineering (CAiSE’02).