Conclusions from The "Re-identification" of Governor William Weld's Medical Information: A Critical Re-examination of Health Data Identification Risks and Privacy Protections, Then and Now, Daniel Barth-Jones, 2012.
What are our essential "lessons learned" from this critical examination of the seminal Weld reidentification attack?
I would propose the following:
- Did Weld’s "re-identification" have a useful and important impact on improving healthcare privacy? * Yes, quite clearly.*
- Has this event led to important regulations that help to importantly protect patients from reidentification risk? Undoubtedly.
- Does the Weld saga realistically reflect the privacy risks that exist under the HIPAA Privacy rules today? No, not at all.
- Should we let the de minimus risks of re-identification under today's HIPAA protections cause us to abandon our use of de-identified data to save lives and improve our healthcare system? No, not unless we wish to abandon science and progress in favor of irrational fears.