Reidentification is a term casually applied to any instance whereby information can be linked to a specific person, after the links between the information and the person associated with the information have been removed. Used this way, the term reidentification connotes an insufficient deidentification process. In the health care industry, the term "reidentification" means something else entirely. In the U.S., regulations define "reidentification" under the "Standards for Privacy of Individually Identifiable Health Information.”(1) Therein, reidentification is a legally sanctioned process whereby deidentified records can be linked back to their human subjects, under circumstances deemed legitimate and compelling, by a privacy board. Reidentification is typically accomplished via the use of a confidential list of links between human subject names and deidentified records, held by a trusted party. In the healthcare realm, when a human subject is identified through fraud, trickery, or through the deliberate use of computational methods to break the confidentiality of insufficiently deidentified records (ie, hacking), the term "reidentification" would not apply.(2)
1. Department of Health and Human Services. 45 CFR (Code of Federal Regulations), parts 160 through
164. Standards for privacy of individually identifiable health information (final rule). Fed Regist
2. Berman JJ. Principles of big data: preparing, sharing, and analyzing complex information. Morgan Kaufmann; 2013.
- Jules Berman (copyrighted material)
key words: identifier, deidentifier, identification, reidentification, privacy, HIPAA, confidentiality, medical records, jules j berman