Policy and Law: HIPAA assessments
Problem Statement: Given patient-specific health data covered by the HIPAA Privacy Rule, construct a method for determining whether a version of the data is sufficiently de-identified under HIPAA (scientifically and legally) so that it can be shared freely and still remain useful.
Description: Dr. Sweeney's contribution was an operational standard for determining HIPAA compliance that satisfies scientific and legal muster by asserting that a dataset is HIPAA compliant if no more people are identifiable in the subject data release than would be identifiable if the data release satisfied the HIPAA safe harbor provisions. [cite, cite] This leverages my previously developed technology for determining the identifiability of data Risk Assessment Server, described separately. As background, the HIPAA Privacy Rule provides two mechanisms for sharing patient data freely: (1) the safe harbor provision that lists which fields cannot be released; and, (2) the scientific standard that states that there must be minimal risk of re-identification. The safe harbor provision often yields useless data, and there is no definition of "minimal risk" provided for the scientific standard. Dr. Sweeney technical and legal insight was to conserve the number of re-identifications allowed in the safe harbor while allowing more specificity in fields.
Scientific Influence and Impact: Attorneys made public statements endorsing Dr. Sweeney's approach as a means of reducing litigation risk [Tupman, et al.]. Others report using it in practice [American Health Lawyers, et al.]. Two companies licensed her related technology and use the approach to commercially provide HIPAA Compliance Assessments [Privacert, et al.].
Other Achievements: 12