Send to

Choose Destination
See comment in PubMed Commons below
J Am Med Inform Assoc. 2015 Sep;22(5):1029-41. doi: 10.1093/jamia/ocv004. Epub 2015 Apr 24.

R-U policy frontiers for health data de-identification.

Author information

  • 1Department of Electrical Engineering & Computer Science, Vanderbilt University, Nashville, TN, USA
  • 2Department of Biomedical Informatics, Vanderbilt University, Nashville, TN, USA.
  • 3Huazhong University of Science and Technology, Wuhan, China.
  • 4School of Information Technology and Mathematical Sciences, University of South Australia, Mawson Lakes, South Australia, Australia.
  • 5Department of Electrical Engineering & Computer Science, Vanderbilt University, Nashville, TN, USA Department of Biomedical Informatics, Vanderbilt University, Nashville, TN, USA.



The Health Insurance Portability and Accountability Act Privacy Rule enables healthcare organizations to share de-identified data via two routes. They can either 1) show re-identification risk is small (e.g., via a formal model, such as k-anonymity) with respect to an anticipated recipient or 2) apply a rule-based policy (i.e., Safe Harbor) that enumerates attributes to be altered (e.g., dates to years). The latter is often invoked because it is interpretable, but it fails to tailor protections to the capabilities of the recipient. The paper shows rule-based policies can be mapped to a utility (U) and re-identification risk (R) space, which can be searched for a collection, or frontier, of policies that systematically trade off between these goals.


We extend an algorithm to efficiently compose an R-U frontier using a lattice of policy options. Risk is proportional to the number of patients to which a record corresponds, while utility is proportional to similarity of the original and de-identified distribution. We allow our method to search 20 000 rule-based policies (out of 2(700)) and compare the resulting frontier with k-anonymous solutions and Safe Harbor using the demographics of 10 U.S. states.


The results demonstrate the rule-based frontier 1) consists, on average, of 5000 policies, 2% of which enable better utility with less risk than Safe Harbor and 2) the policies cover a broader spectrum of utility and risk than k-anonymity frontiers.


R-U frontiers of de-identification policies can be discovered efficiently, allowing healthcare organizations to tailor protections to anticipated needs and trustworthiness of recipients.


de-identification; optimization; policy; privacy; secondary use

[PubMed - indexed for MEDLINE]
Free PMC Article
PubMed Commons home

PubMed Commons

How to join PubMed Commons

    Supplemental Content

    Full text links

    Icon for Silverchair Information Systems Icon for PubMed Central
    Loading ...
    Support Center