Weaving Technology and Policy Together to Maintain Confidentiality

Kohane I. , “Sharing Electronic Medical Records Across Heterogeneous and Competing Institutions,” in Cimino J. , ed., Proceedings, American Medical Informatics Association (Washington, D.C.: Hanley & Belfus, 1996): 608–12.

Office of Technology Assessment, Protecting Privacy in Computerized Medical Information (Washington, D.C.: U.S. Government Printing Office, 1993).

See Gostin L.O. , “Privacy and Security of Personal Information in a New Health Care System,” JAMA, 270 (1993): At 2487 (citing Louis Harris and Associates, The Equifax Report on Consumers in the Information Age (Atlanta: Equifax, 1993)).

Louis Harris and Associates, The Equifax-Harris Consumer Privacy Survey (Atlanta: Equifax, 1994).

Cooper G. , “An Evaluation of Machine-Learning Methods for Predicting Pneumonia Mortality,” Artificial Intelligence in Medicine, 9, no. 2 (1997): 107–38.

See Kohane , supra note 1.

Woodward B. , “Patient Privacy in a Computerized World,” 1997 Medical and Health Annual (Chicago: Encyclopedia Britannica, 1996): 256–59.

National Association of Health Data Organizations, A Guide to State-Level Ambulatory Care Data Collection Activities (Rails Church: National Association of Health Data Organizations, Oct. 1996).

Clayton P. , National Research Council, For the Record: Protecting Electronic Health Information (Washington, D.C.: National Academy Press, 1997).

See, for example, Shalala Donna E. , Address at the National Press Club, Washington, D.C. (July 31, 1997).

Woodward B. , “The Computer-Based Patient Record and Confidentiality,” N. Engl. J. Med., 333 (1995): 1419–22.

Linowes D. Spencer R. , “Privacy: The Workplace Issue of the '90s,” John Marshall Law Review, 23 (1990): 591–620.

Grady D. , “Hospital Files as Open Book,” New York Times, Mar. 12, 1997, at C8.

See Clayton , supra note 9.

“Who's Reading Your Medical Records,” Consumer Reports, Oct. (1994): 628–32.

Alexander L. Jabine T. , Social Security Bulletin: Access to Social Security Microdata Files for Research and Statistical Purposes, 41, no. 8 (1978).

Sweeney L. , “Replacing Personally-Identifying Information in Medical Records, the Scrub System,” in Cimino , supra note 1, at 333–37.

Kohane I. , “Getting the Data In: Three-Year Experience with a Pediatric Electronic Medical Record System,” in Ozbolt J. , ed., Proceedings, Symposium on Computer Applications in Medical Care (Washington, D.C.: Hanley & Belfus, 1994): 457–61.

Barnett G. , “The Application of Computer-Based Medical-Record Systems in Ambulatory Practice,” N. Engl. J. Med., 310 (1984): 1643–50.

Anon., Privacy & Confidentiality: Is It a Privilege of the Past?, Remarks at the Massachusetts Medical Society's Annual Meeting, Boston, Mass. (May, 18, 1997).

Government Accounting Office, Fraud and Abuse in Medicare and Medicaid: Stronger Enforcement and Better Management Could Save Billions (Washington, D.C.: Government Accounting Office, HRD-96-320, June 27, 1996).

See Sweeney , supra note 17.

See id.

See National Association of Health Data Organizations, supra note 8.

See Sweeney L. , “Computational Disclosure Control for Medical Microdata, the Datafly System,” Proceedings of the Bureau of the Census Record Linkage Workshop (Washington, D.C.: Bureau of the Census, 1997): Forthcoming.

For guidelines, see Sweeney L. “Guaranteeing Anonymity When Sharing Medical Data, the Datafly System,” Proceedings, American Medical Informatics Association (Nashville: Hanley & Belfus, 1997): Forthcoming.

See id.

Lasalandra M. , “Panel Told Releases of Med Records Hurt Privacy,” Boston Herald, Mar. 20, 1997, at 35.

Hundepool A. Willenborg L. , “mu- and tau-Argus: Software for Statistical Disclosure Control,” Third International Seminar on Statistical Confidentiality (1996) (available at <http://www.cbs.nl/sdc/argus1.html>.

For a presentation of the concepts on which μ-Argus is based, see Willenborg L. De Waal T. , Statistical Disclosure Control in Practice (New York: Springer-Verlag, 1996).

Kirkendall N. , Report on Statistical Disclosure Limitation Methodology, Statistical Policy Working Paper (Washington, D.C.: Office of Management and Budget, no. 22, 1994).

For a more in-depth discussion, see Sweeney supra note 26.

Sweeney L. , “Towards the Optimal Suppression of Details When Disclosing Medical Data, the Use of Sub-Combination Analysis,” Proceedings of the 9th World Conference on Medical Informatics (1998): Forthcoming.

See Kirkendall , supra note 31.

Duncan G. Lambert D. , “The Risk of Disclosure for Microdata,” Proceedings of the Bureau of the Census Third Annual Research Conference (Washington, D.C.: Bureau of the Census, 1987): 263–74.

Skinner C. Holmes D. , “Modeling Population Uniqueness,” Proceedings of the International Seminar on Statistical Confidentiality (Dublin: International Statistical Institute, 1992): 175–99.

For example, Latanya Sweeney's testimony before the Massachusetts Health Care Committee had a chilling effect on the proceedings that postulated that the release of deidentified medical records provided anonymity. See Session of the Joint Committee on Health Care, Massachusetts State Legislature, (Mar. 19, 1997) (testimony of Latanya Sweeney, computer scientist, Massachusetts Institute of Technology). Though the Bureau of the Census has always been concerned with the anonymity of public use files, they began new experiments to measure uniqueness in the population as it relates to public use files. Computer scientists who specialize in data base security are reexamining access models in light of these works.