Releasing individually identifiable microdata with Privacy Protection against stochastic threat: an application to health information.

The ability to collect and disseminate individually identifiable microdata is becoming increasingly important in a number of arenas. This is especially true in health care and national security, where this data is considered vital for a number of public health and safety initiatives. In some cases legislation has been used to establish some standards for limiting the collection of and access to such data. However, all such legislative efforts contain many provisions that allow for access to individually identifiable microdata without the consent of the data subject. Furthermore, although legislation is useful in that penalties are levied for violating the law, these penalties occur after an individual's privacy has been compromised. Such deterrent measures can only serve as disincentives and offer no true protection. This paper considers security issues involved in releasing microdata, including individual identifiers. The threats to the confidentiality of the data subjects come from the users possessing statistical information that relates the revealed microdata to suppressed confidential information. The general strategy is to recode the initial data, in which some subjects are "safe" and some are at risk, into a data set in which no subjects are at risk. We develop a technique that enables the release of individually identifiable microdata in a manner that maximizes the utility of the released data while providing preventive protection of confidential data. Extensive computational results show that the proposed method is practical and viable and that useful data can be released even when the level of risk in the data is high.

Key words: data security; privacy; health information; optimization

1. Introduction

As information storage and processing capabilities increase, a number of groups and organizations are engaging in the collection and dissemination of individually identifiable microdata (IIM). Examples include the Department of Homeland Security, the Centers for Disease Control and Prevention, insurance companies, and various state and local public health departments. In some cases IIM are collected and used by a specific organization. In other cases data is collected and shared with other organizations. The collection and dissemination of IIM is typically considered justifiable when the objectives of the data recipient are deemed to be "for the greater good" and statistical data alone is not sufficient to achieve those objectives.

In recognition of the fact that IIM is highly sensitive, especially in relation to matters such as medical or financial information, a number of laws have been passed that address the question of when IIM can be collected and shared. Examples at the federal level include the Privacy Act of 1974, the Computer Matching and Privacy Protection Act of 1988, the Paperwork Reduction Act of 1995, the Principles for Providing and Using Personal Information ("Privacy Principles"), published by the Information Infrastructure Task Force in 1995, and the Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996. In most cases these laws provide substantial disincentives for the abuse of IIM. For instance, the maximum penalty under HIPAA for the abuse of personal health information is a $250,000 fine and up to 10 years imprisonment.

Nevertheless, although enacted for the purpose of protecting individual privacy in the face of an increasingly computerized world, all these laws contain provisions that allow for the collection and dissemination of IIM. The HIPAA Privacy Rule provides a good example of such provisions as related to medical information. The following summary, taken from the CDC website (2005) describes the current situation well:

 
  New national health information privacy standards have been issued by 
  the U.S. Department of Health and Human Services (DHHS), pursuant to 
  the Health Insurance Portability and Accountability Act of 1996 
  (HIPAA). The new regulations provide protection for the privacy of 
  certain individually identifiable health data, referred to as 
  protected health information (PHI). Balancing the protection of 
  individual health information with the need to protect public health, 
  the Privacy Rule expressly permits disclosures without individual 
  authorization to public health authorities authorized by law to 
  collect or receive the information for the purpose of preventing or 
  controlling disease, injury, or disability, including but not limited 
  to public health surveillance, investigation, and intervention.