Original Contributions

Protecting Patient
Privacy in Clinical
Data Mining
Linda K. Goodwin, RN, C, PhD, and Jonathan C. Prather, PhD

A B S T R A C T trend for patients to withhold informa-

This paper investigates whether HIPAA de-identification
requirements – as well as proposed AAMC de-identification
standards – were met in a large clinical data mining study
(1997-2001) conducted at Duke University prior to the
publication of the final rule.While HIPAA has improved
de-identification standards, the study also shows that privacy
issues may persist even in de-identified large clinical databases.
K E Y W O R D S Over half of America’s largest 500
companies, with easy access to a per-
Health Insurance Portability son’s social security number, admitted
and Accountability Act using health records to make hiring and
other personnel decisions.1 Patients have
(HIPAA) reported losing their jobs, insurance cov-
Patient privacy erage, and their reputation due to disclo-
sure of confidential information. Not only
Consent do privacy violations result in both real
and potential loss of dignity and autono-
Authorization my, the information from a person’s
Institutional review board patient records may influence their credit,
employment options, admission to educa-
(IRB) tional institutions, and their ability to get
Clinical data mining health insurance and at fair market cost.2
Patients are concerned that health-
De-identification related information they give to their
The Common Rule healthcare providers, employers, and
insurance companies might somehow be
used against them. There is a growing
tion, and to seek care under fictitious
names and erroneous social security
numbers;3 the potential impact of this
trend on clinical data mining research is
worrisome.
In response to public concerns, a
number of privacy protection bills were
introduced in Congress during the past
decade. The Health Insurance Portability
and Accountability Act (HIPAA) was
signed into law in 1996, and component
privacy regulations were published in
December 2000.4 Former U.S. Secretary
of Health Donna Shalala issued a report5
indicating the need for legislation
because of the rapid changes in ways
that healthcare is provided, documented,
and paid for in the United States. These
changes pose a challenge to American
values that want both personal privacy
as well as quality healthcare; in today’s
healthcare market, these values are both
complementary and competing.
HIPAA regulations do not change
already existing law called the “Common
Rule”6 that applies to all federally funded
research. The Common Rule directs a
research institution to assure the federal
government that it will provide and
enforce protections for human subjects
of research conducted under the over-
sight of that institution. Research institu-
tions must assess research proposals in
terms of their risks to subjects and their
potential benefits, and they must see that
the Common Rule’s requirements for
selecting subjects and obtaining informed
consent are met.
One important point to note is that,

62 Journal of Healthcare Information Management — Vol. 16, No. 4

 Original Contributions

because of new HIPAA provisions that • De-identified data:

specifically apply to research protocols, data where identi- Figure 1. HIPAA “Safe-Harbor”
an organization cannot merely apply its fiers have been De-identification Algorithm
routine privacy and security protections removed but means
where research protocols are concerned. exist for re-identify-
Regulations are still in flux, but final reg- ing individual
ulations are expected to require special patients or subjects
treatment for research data in an effort to if required. The
protect patient privacy concerns. Common Rule calls
this “coded data.”
Important Terms • HIPAA consent is
It will be important to understand the specifically for treat-
differences in important terms related to ment, billing, and
HIPAA and protecting patient privacy in operations. Note: The
doing research. HIPAA has an impact on • HIPAA authoriza- primary author
Institutional Review Board (IRB) roles, tion includes what wishes to
acknowledge the
and typical clinical data mining research IRBs call “consent.” North Carolina
finds itself at the core of this endeavor • Protected health Health Care
where patient data is often used for information Information and
research without explicit patient consent. (PHI): any informa- Communications
Alliance
Note that what IRBs consider “consent” tion, whether oral or (www.nchica.org)
is similar in concept to what HIPAA recorded in any where she
labels “authorization.” form or medium, developed this
that is created or algorithm
received by a health- working with a
HIPAA Privacy
care provider, health Work Group
plan, public health Subcommittee on
authority, employer, Research.

“Not only do privacy viola- life insurer, school

tions result in both real and
potential loss of dignity and
autonomy, the information from a
person’s patient records may
influence their credit, employment
options, admission to educational
institutions, and their ability to
get health insurance and at fair
market cost.”
• Anonymous data: data that was
never labeled with patient/subject
identifiers.
• Anonymized data: data where all
identifiers have been removed and
NO means exists for re-identifying
patients/subjects.
• Covered entity: health plans, health-
care clearinghouses, and healthcare
providers who transmit any health
information in connection with a
transaction (covers electronic, paper,
fax, etc.).
or university, or
healthcare clearing-
house; and relates to
the past, present, or future physical or
mental health or condition of an indi-
vidual; the provision of healthcare to
an individual; or the past, present, or
future payment for the provision of
healthcare to an individual.
Ongoing Debate
Partisan, public, and industry disagree-
ment concerning HIPAA legislation con-
tinues. The Bush Administration pro-
posed modifications to HIPAA privacy
regulations and provided an opportunity
for further comment on March 27, 2002.7
Among other things, proposed modifica-
tions eliminate a requirement for patient
consent to use their PHI for research pur-
poses. This modification addresses indus-
try concern that privacy rules will create
substantial impediments to research.
Proposed modifications would permit
covered entities to obtain a single form
that combines authorization and consent
for research from the patient, but many
question whether proposed “blanket”
consent and authorization will be defensi-
ble in court, and privacy advocates argue
that this proposed modification destroys
the value of the privacy regulations.
The National Center for Vital Health
Statistics (NCVHS)8 recommended that
the HIPAA privacy rule continue to
require either individual authorization or
a waiver from an IRB or privacy board
to conduct research involving protected
health information, and that research
activities not be included within treat-
ment, payment, and healthcare opera-
tions. NCVHS also described participants’
concerns and assertions that the stan-
dards for de-identification are too restric-
tive, thus de-identified data will have
minimal value for research, and recom-
mended reconsidering whether the safe
harbor de-identification standard might
unduly interfere with research.
Thus it is apparent that ongoing debate
and confusion are inherent in HIPAA pri-
vacy regulations. What remains clear is
that much work remains to be done to
ensure that privacy laws balance individ-
ual personal privacy rights with compet-
ing data and information-sharing benefits.
The National Research Council2 report-
ed that HIPAA is an important first step
in the development of standards for elec-
tronic exchange of health information.
While data sharing is also possible in
paper form, it is the electronic exchange

Journal of Healthcare Information Management — Vol. 16, No. 4 63


Table 1. HIPAA and Proposed AAMC Research
De-identification Requirements
CURRENT HIPPA DE-IDENTIFICATION
REQUIREMENTS
1. Names
2. Geographic subdivisions
3. All elements of dates
4. Telephone #
5. Fax #
6. Electronic mail addresses
7. Social security #
8. Medical record #
9. Health plan beneficiary #
10. Account #
11. Certificate/license #
12. Vehicle identifiers and serial #
13. Device identifiers & serial #
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address #
16. Biometric identifiers, including
finger and voice prints
17. Full face photographic images and
comparable images
18. Any other unique identifying number,
characteristic code
of data that creates the need for
increased privacy and security protec-
tions for patient data. Research data is
just one of many areas where HIPAA
may have an impact on how we conduct
our work.
Figure 1 provides an algorithm that
outlines procedures for de-identifying 18
protected personal identifiers enumerated
in the original HIPAA Privacy Regulations
In published comments, the
Association of Academic Medical Centers
(AAMC)9 recommended a condensed set
of data elements for de-identification,
and suggested that covered entities
should be permitted to release informa-
tion for research purposes if data has
been de-identified and (1) if the
researcher agrees in writing that they will
not attempt to re-identify or contact sub-
jects of the information, and (2) not to
further disclose the information except as
required by law.
Proposed AAMC recommendations
suggest that data which has met their
proposed de-identified standard would
not be individually identifiable and
would permit the covered entity to dis-
close health information pursuant to a
data use agreement if (1) the covered
entity has determined that the risk is
very small that the information could be
used, alone or in combination with other
reasonably available information, by the
64 Journal of Healthcare Information Management — Vol. 16, No. 4
Original Contributions
AAMC RECOMMENDATIONS
1. Names
2. Street address
3. Telephone #
4. Fax #
5. Electronic mail addresses
6. Social security #
7. Vehicle identifiers and serial #
Acknowledged
Acknowledged
8. Full face photographic images and
comparable images
recipient researcher to identify an indi-
vidual who is the subject of the informa-
tion; (2) identifiers listed in column 2
(table 1) are removed; and (3) the cov-
“Thus it is apparent that
ongoing debate and confusion are
inherent in HIPAA privacy regu-
lations. What remains clear is
that much work remains to be done
to ensure that privacy laws balance
individual personal privacy rights
with competing data and informa-
tion-sharing benefits.”
ered entity does not have actual knowl-
edge that the information could be readi-
ly used alone or in combination with
other reasonably available information to
identify an individual who is the subject
of the information.
Methods to Protect Patient Privacy in
Clinical Data Mining Research
The purpose of this paper is to com-
pare procedures used for our clinical
data mining preparation with the HIPAA
safe harbor de-identification standard in
figure 1 and proposed AAMC de-identifi-
cation standards. Note that numbers in
figure 1 in the upper left-hand corner of
a box correspond to the list of 18 per-
sonal health identifiers in the original
HIPAA “safe harbor” standard of the pri-
vacy regulations.
Duke’s TMR™ perinatal database pro-
vided data for the study (RO1 LM-O6488)
and is the only known clinical database
that electronically collected data on preg-
nant women for more than two decades.
The final research data set included
1,622 variables and 19,970 patients after
cleaning and filtering procedures were
completed for data extraction of 71,753
records and approximately 4,000 poten-
tial variables per patient.
Data in TMR™, a comprehensive elec-
tronic medical record system, did contain
many patient identifiers. Since we were
interested in predictive modeling during
pregnancy, the first step in preparing our
research data sets was to remove all
infant records, since infant data would
not normally be available during preg-
nancy. Infant variables that might be
available during pregnancy were retained
(e.g., infant gender and ultrasound meas-
urements).
Remaining maternal records were then
assigned a unique code using random
number generation, and the list that
matches the original patient identifier
with their code number is kept locked in
the Principal Investigator’s office files.
This code can be used to re-identify indi-
vidual patients in the original TMR™ sys-
tem. When we began the research, we
were not sure if we would need an abili-
ty to compare research data sets with the
original patient records, and we did in
fact find this ability useful on at least one
occasion. Our data filtering and cleaning
efforts removed all names (patient, fami-
ly, etc.) from the data.
Procedures used to remove geograph-
ic identifiers in our research data con-
verted zip codes to county codes, and
removed all other forms of address and
location. Our procedures would not be
in compliance with the strictest interpre-
tation of new HIPAA privacy regulations.
HIPAA regulations specify removal of the
following for geographic identifiers: all

geographic subdivisions smaller than a
state, including street address, city, coun-
ty, precinct, zip code, and their equiva-
lent geocodes, except for the initial three
digits of a zip code if, according to the
current publicly available data from the
Bureau of the Census:4, pp. 82711, 82818
• The geographic unit formed by com-
bining all zip codes with the same
three initial digits must contain more
than 20,000 people; and
• The initial three digits of a zip code
for all such geographic units contain-
ing 20,000 or fewer people is changed
to 000.
Since our final county codes were
broadly categorized as “Durham County,
Orange County, and Other”, each geo-
graphic subdivision has more than
20,000 people and it should be possible
to follow HIPAA guidelines with regard
to zip codes to achieve HIPAA-compliant
outcomes with results similar to our RO1
procedures.
Birth dates were converted to age at
the time of conception, and then
removed. Since we did not have any
pregnant women over the age of 89, this
aspect of the regulation did not influence
our procedures, and the maximum likeli-
hood of this as a future problem in peri-
natal medicine is not expected. HIPAA
regulations specify removal of the follow-
ing for date identifiers: all elements of
dates (except year) for dates directly
related to an individual, including birth
date, admission date, discharge date, date
of death; and all ages over 89 and all
elements of dates (including year) indica-
tive of such age, except that such ages
and elements may be aggregated into a
single category of age 90 or older.4, p. 82818
Here is where we believe new prob-
lems may arise with interpretation of
HIPAA regulations in research. If dates
were removed prior to our receiving the
data, it would have been impossible for
us to complete our study, since we need-
ed dates in order to generate many of
our data elements. Please recognize that
dates were available in the raw data but
converted into data fields, such as years
of age and weeks of gestation, in the
final research data sets (see figure 2); all
dates were removed from the final data
set but available to the data warehouse
engineer during the data cleaning and fil-
tering earlier phases of the research.
All clinical observations and events in
the study data were converted into
Original Contributions
numeric temporal relationships with
regard to conception. For example, if a
preconception questionnaire was com-
pleted on 1/1/1993 and conception
occurred on 1/15/1993, the relationship
of the event was calculated as -14 days.
If the patient experienced nausea during
the same pregnancy on 7/15/1993, the
“If dates were removed prior to
our receiving the data, it would
have been impossible for us to
complete our study, since we need-
ed dates in order to generate
many of our data elements.”
temporal relationship of the observation
would be 181 days. This temporal rela-
tionships scheme allowed all dates in the
data source, including date of conception
and birth, to be removed. While the
process that included dates in raw data
could be interpreted as violating HIPAA
regulations, the final data sets are clearly
in compliance with the law.
Figure 2. Research Data Sets (10 week intervals)
LMP 10 weeks
Data Set #1
446 vars
Data Set #2
839 vars
Data Set #3
1,232 vars
Journal of Healthcare Information Management — Vol. 16, No. 4
We believe our RO1 procedures were
HIPAA compliant for personal identifiers
4 through 17 (see table 2). As a function
of the years when TMR data was collect-
ed, some identifier items on the HIPAA
list were not included in our data set
(e.g., e-mail address, web URL, IP
address, biometrics, photos). We system-
atically removed all phone and fax num-
bers, social security numbers, medical
record and account numbers, and insur-
ance information that was recoded into
categories: private, health department,
managed care, or other.
The HIPAA regulatory definition of de-
identification occurs when 18 personal
identifiers listed in table 1 have been
removed or aggregated as defined in the
law. Item 18 places a burden of protec-
tion on the covered entity to consider
“any other unique identifying number,
characteristic, or code (whether generally
available in the public realm or not) that
the covered entity has reason to believe
may be available to an anticipated recipi-
ent of the information, and the covered
entity has no reason to believe that any
reasonably anticipated recipient of such
information could use the information
alone, or in combination with other
information, to identify an individual.
Thus, to create de-identified information,
entities that had removed the listed iden-
tifiers would still have to remove addi-
tional data elements if they had reason
to believe that a recipient could use the
20 weeks 30 weeks 37 40+
Preterm
Full term
Data Set #4
1,622 vars
65

remaining information, alone or in com-
bination with other information, to iden-
tify an individual.”4, pp. 82717-82818
See the discussion section for our
example of potential problems with
“unique” characteristics. Our own
research found that this necessary final
step was especially challenging — but
still possible to accomplish.
Discussion
Data access and management proce-
dures were reviewed and approved by
Duke’s IRB in accordance with the
Common Rule and established IRB poli-
cies and procedures (since HIPAA priva-
cy regulations will not be enforced until
April 2003).
It is important to understand that the
data warehouse engineer on our
research team was given full access to
clinical data with patient identifiers.
Other participating research team mem-
bers included the clinical database
administrator (a certified perinatal nurse)
and a board-certified obstetrician who
were heavily involved in using the TMR™
Table 2. HIPAA and RO1 Comparison
HIPAA SAFE HARBOR
DE-IDENTIFICATION
1. Names
2. Geographic subdivisions
3. All elements of dates
4. Telephone #
5. Fax #
6. Electronic mail addresses
7. Social security #
8. Medical record #
9. Health plan beneficiary #
10. Account #
11. Certificate/license #
12. Vehicle identifiers and
serial # including license plate #
13. Device identifiers & serial #
14. Web Universal Resource
Locators (URLs);
15. Internet Protocol (IP)
address #
16. Biometric identifiers,
including finger and voice prints
17. Full face photographic images
and any comparable images
18. Any other unique identifying
number, characteristic code
66 Journal of Healthcare Information Management — Vol. 16, No. 4
Original Contributions
database for operational purposes. The
warehouse engineer spent more than a
year working closely with the database
administrator, physician, Principal
Investigator (PI), and other members of
the research team to scrub, filter, clean,
and transform the raw data into de-iden-
tified research data sets.
The database administrator and physi-
cian were already authorized users of the
database, and our research data cleaning
procedures required that the data ware-
house engineer have access to personal
identifiers in order to match and verify
records. The warehouse engineer
worked closely with the research team
and was diligent in removing all person-
al identifiers from the research data.
Thus, using de-identified data, data
analyses were conducted by multiple
members of the research team, but only
the warehouse engineer had ready
access to raw data that included personal
identifiers. The warehouse engineer care-
fully protected the raw data through
physical security (locked office, locked
machine) and multiple levels of pass-
AAMC PROPOSED RO1 “ANONYMIZATION”
DE-IDENTIFICATION PROCEDURES
1. Names Removed
2. Street address Recoded as county
of residence
Converted to temporal
relationships from date
of conception
3. Telephone # Removed
4. Fax # Removed
5. Electronic mail addresses Not available
6. Social security # Removed
Removed
Recoded as category/type
Removed
Not available in TMR™
data source
7. Vehicle identifiers and serial #
Acknowledged
Acknowledged
8. Full face photographic images
and any comparable images
Manual outlier filtering
removed very young
pregnant patient
word protection on the hard drive where
the raw data were stored.
It is also important to understand that
potential privacy and informed consent
issues persist even in de-identified large
clinical databases. Our research team was
vigilant in maintaining patient privacy,
and we removed patient identifiers using
procedures that, with minor modification,
could be expected to meet a HIPAA “safe
harbor” de-identification standard.
But we did encounter a problem after
the first 17 HIPAA safe harbor personal
identifiers had been removed from our
research data. Clinician members of the
research team could still identify a very
young pregnant girl because of her age,
so her record was removed from the
data. A board-certified obstetrician and
expert nurse who had managed the TMR
database for more than a decade, assist-
ed us in searching for outliers and possi-
ble remaining identifiers, but no further
potential privacy problems with the
research data were found.
Thus, the 18th HIPAA item that man-
dates removing “any/all other unique
identifying number, characteristic or
code” will require due diligence by those
responsible for de-identification of clini-
cal data, and could create problems
where researchers do not wish to invest
the time and effort for this level of atten-
tion to detail.
The potential impact of HIPAA privacy
regulations on clinical research is not yet
known. The literature and the web are
filled with opinions on both sides of the
issue; some believe protecting patient
privacy is more important while others
argue that access to PHI for research
purposes is essential for science. In our
clinical data mining research, we found
these competing privacy and access to
research data demands could both be
satisfied through rigorous de-identifica-
tion procedures.
Our work preceded HIPAA privacy
regulations, but would meet a HIPAA
safe harbor standard with only minor
modifications. Based on our experiences,
we believe that clinical data mining
researchers can protect patient privacy
while advancing science through de-
identified data analyses. We acknowl-
edge this process is tedious, time-con-
suming, and expensive; these facts com-
bined with increased liability for a cov-
ered entity are predicted to reduce the
availability of clinical data for research
purposes in the coming years. Our data
 Original Contributions

mining research finds it is possible to
balance privacy concerns and research
needs through careful procedures that
remove personal identifiers to create de-
identified data for clinical research; we
believe this balance improves both pub-
lic trust and scientific research.
Conclusion
Clinical data mining research conduct-
ed at Duke University followed careful
procedures to protect the privacy of
patient data. All known patient identifiers
were removed from the data, and a
patient identification number was re-
coded so that only the Principal
Investigator had the information (locked
in the research office) that could re-identi-
fy an individual patient’s record. We were
diligent in maintaining patient privacy,
and removed patient identifiers using pro-
cedures that, with minor modification,
could be expected to meet a HIPAA “safe
harbor” de-identification standard.
Potential privacy and informed con-
sent issues persist even in anonymized
and de-identified large clinical databases.
In spite of removing 17 HIPAA personal
identifiers, we found that outliers (e.g., a
very young pregnant girl) were still
potentially identifiable by a small num-
“In our clinical data mining
research, we found these compet-
ing privacy and access to research
data demands could both be sat-
isfied through rigorous de-identi-
fication procedures.”
ber of employees who knew the patient,
and this record was removed from the
research data.
It seems imperative that we strive to
maintain the public’s trust by doing
everything possible to protect patient pri-
vacy in clinical research. Privacy protec-
tions will require careful stewardship of
patient data that provides vigilant de-
identification and HIPAA compliance as a
minimum standard for clinical data min-
ing research.
Acknowledgment
Informatics Tools and Perinatal
Knowledge Building RO1 LM-O6488
funded by the National Library of
Medicine 1997-2003.
About the Authors
Linda Goodwin is director of the
Nursing Informatics Program at Duke
University and an informatics scientist
with a program of funded research in
applied informatics (www.duke.edu/
~goodw010).
Jonathan Prather is a data warehouse
engineer for Oregon Health Sciences
University Department of
Immunogenetics and Transplantation.

References
1
“Who’s Reading Your Patient Records?” Consumer Reports, October 1994, 5
Shalala, D. E. “Protecting Privacy of Health Information.” Address to the
628-632. National Press Club (July 31, 1997). Available at:
2
National Research Council. For the Record: Protecting Electronic Health http://aspe.os.dhhs.gov/adminsimp/pvcy0731.htm
Information. 1997. Available at: http://www.nap.edu/readingroom/ 6
Federal Policy for the Protection of Human Subjects; Notices and Rules, 56
books/ftr/52ea.html Federal Register 28002 - 28032 (June 18, 1991).
3
Detmer, D. E., and Steen, E. B. “Shoring Up Protection of Personal Health 7
67 Federal Register 14, 776.
Data.” Issues in Science and Technology, Summer 1996, 12(4), 73-78. 8
http://www.aamc.org/advocacy/corres/research/hipaa041102.htm
4
45 CFR Parts 160 and 164. December 2000. Available at: 9
http://ncvhs.hhs.gov/011121lt.htm
http://www.hhs.gov/ocr/hipaa/

Journal of Healthcare Information Management — Vol. 16, No. 4 67