Reidentification is a term casually applied to any instance whereby information can be linked to a specific person,
after the links between the information and the person associated with the information have been removed.
Used this way, the term reidentification connotes an insufficient deidentification process. In the health care
industry, the term "reidentification" means something else entirely. In the U.S., regulations define "reidentification"
under the "Standards for Privacy of Individually Identifiable Health Information.”(1) Therein, reidentification
is a legally sanctioned process whereby deidentified records can be linked back to their human
subjects, under circumstances deemed legitimate and compelling, by a privacy board. Reidentification is typically
accomplished via the use of a confidential list of links between human subject names and deidentified
records, held by a trusted party. In the healthcare realm, when a human subject is identified through fraud,
trickery, or through the deliberate use of computational methods to break the confidentiality of insufficiently
deidentified records (ie, hacking), the term "reidentification" would not apply.(2)
References
1. Department of Health and Human Services. 45 CFR (Code of Federal Regulations), parts 160 through
164. Standards for privacy of individually identifiable health information (final rule). Fed Regist
2000;65(250):82461–510.
2. Berman JJ. Principles of big data: preparing, sharing, and analyzing complex information. Morgan Kaufmann; 2013.
- Jules Berman (copyrighted material)
key words: identifier, deidentifier, identification, reidentification, privacy, HIPAA, confidentiality, medical records, jules j berman
