Research Accomplishments of Latanya Sweeney, Ph.D.


Medical Informatics
      Genomic identifiability
      Patient-centered management

Database Security

      Risk assessment server

      Face de-identification

      Contactless capture

Policy and Law
      Identifiability of de-identified data
      HIPAA assessments
      Privacy-preserving surveillance

Public Education
      Identity angel

Quantitative assessments

Policy and Law: HIPAA assessments

[cite, cite]

Problem Statement: Given patient-specific health data covered by the HIPAA Privacy Rule, construct a method for determining whether a version of the data is sufficiently de-identified under HIPAA (scientifically and legally) so that it can be shared freely and still remain useful.

Description: Dr. Sweeney's contribution was an operational standard for determining HIPAA compliance that satisfies scientific and legal muster by asserting that a dataset is HIPAA compliant if no more people are identifiable in the subject data release than would be identifiable if the data release satisfied the HIPAA safe harbor provisions. [cite, cite] This leverages my previously developed technology for determining the identifiability of data Risk Assessment Server, described separately. As background, the HIPAA Privacy Rule provides two mechanisms for sharing patient data freely: (1) the safe harbor provision that lists which fields cannot be released; and, (2) the scientific standard that states that there must be minimal risk of re-identification. The safe harbor provision often yields useless data, and there is no definition of "minimal risk" provided for the scientific standard. Dr. Sweeney technical and legal insight was to conserve the number of re-identifications allowed in the safe harbor while allowing more specificity in fields.

Scientific Influence and Impact: Attorneys made public statements endorsing Dr. Sweeney's approach as a means of reducing litigation risk [Tupman, et al.]. Others report using it in practice [American Health Lawyers, et al.]. Two companies licensed her related technology and use the approach to commercially provide HIPAA Compliance Assessments [Privacert, et al.].

Other Achievements: 12

  • Elected Fellow, American College of Medical Informatics, based in part on this work.

  • Appointment to the Federal HIT Policy Committee, Privacy and Security Seat in the Obama Administration, based in part on this work.

  • Included in testimony or briefings to EU, DHS, DOD, NCVHS, HCFA, and U.S. Senate.

  • Dr. Sweeney's paper [cite] has a statistically significant citation count (at 99th percentile) among medical informatics papers.

  • Among 28 news articles specifically profiling aspects of this work. Venues include Scientific American, CBS News, ABC News, Newsweek, USA Today, and NPR.


12 See quantitative assessments for more details.

Previous | Next

Related links:

Fall 2009