Comment by logicchains

...use a unique randomized ID as the key...

33 bits is all that are required to individually identify any person on Earth.

If you'd like to extend that to the 420 billion or so who've lived since 1800, that extends to 39 bits, still a trivially small amount.

Every bit[1] of leaked data bisects that set in half, and simply anonymising IDs does virtually nothing of itself to obscure identity. Such critical medical and billing data as date of birth and postal code are themselves sufficient to narrow things down remarkably, let alone a specific set of diagnoses, procedures, providers, and medications. Much as browser fingerprints are often unique or nearly so without any universal identifier so are medical histories.

I'm personally aware of diagnostic and procedure codes being used to identify "anonymised" patients across multiple datasets dating to the early 1990s, and of research into de-anonymisation in Australia as of the mid-to-late 1990s. Australia publishes anonymisation and privacy guidelines, e.g.:

"Data De‑identification in Australia: Essential Compliance Guide"

<https://sprintlaw.com.au/articles/data-de-identification-in-...>

"De-identification and the Privacy Act" (2018)

<https://www.oaic.gov.au/privacy/privacy-guidance-for-organis...>

It's not merely sufficient to substitute an alternative primary key, but also to fuzz data, including birthdates, addresses, diagnostic and procedure codes, treatment dates, etc., etc., all of which both reduces clinical value of the data and is difficult to do sufficiently.

________________________________

Notes:

1. In the "binary digit" sense, not in the colloquial "small increment" sense.

What a silly idea. That would completely prevent federally mandated interoperability APIs from working. While privacy breaches are obviously a problem, most consumers don't want care quality and coordination harmed just for the sake of a minor security improvement.

https://www.cms.gov/priorities/burden-reduction/overview/int...