wordpress blog stats
Connect with us

Hi, what are you looking for?

Personal Health Identifiers and the anonymization of health data: Notes from SFLC round-table on IT in Healthcare

MediaNama attended a round-table discussion on April 27th by SFLC.in on policy enabling Information Technology in healthcare. The round-table aimed to discuss questions around current and future regulation, the effect of government policy and technical aspects of providing healthcare using IT. Below are the main points made during the discussion. Quotes are paraphrased and not verbatim, they are unattributed since the discussion was held under Chatham House Rule.

Treatment of personal health identifiers

  • Personal health identifier: Anything that makes a person identifiable and pinpoints who the person is can be their Personal Health Identifier, this includes name, gender, house number. I suspect how much of anonymized data is actually anonymous. Hospitals today take blanket consent without the patient having specific understanding of what his/her consent means. What’s the consent taken if you have an Apple Watch which is collecting your real-time ECG data. We need to ask whether consent for use and collection of that data is taken, especially considering that it isn’t patient data but simply consumer data.
  • There are 18 PHIs under US federal law Health Insurance Portability and Accountability Act, 1996 (HIPAA), including credit card number, phone number, social security number, registration card. Anything that identifies me – including as date-of-birth, or date-of-birth associated with another ID – is a PHI, which then needs to be deidentified. In India, this would include Aadhaar number.
  • Personal Health Identifier needs to be anonymised or masked; and consent is required for transferring this data between parties. For example, if I’m looking at an American’s data sitting in India, the data will have to be anonymised or masked.

Anonymization of Health Data

  • The DISHA bill lays down a legal framework for exchange of medical information and records, and talks about a National Health Authority to do this. It says that the government can get access only to anonymized data.
  • Under current US laws, you can send health data to people who are authorized to view the data, who are on the staff of the hospital, and can be sent across the globe. But, when you send data belonging to certain categories of US citizens or certain entities, the doctor who is accessing the data has to be on US soil.Today it’s very easy to carry out on-the-fly anonymization and de-anonymization. There are countries which require that the data needs to be completely anonymized before it leaves the soil of that country, it comes to India, gets read, goes back into that server in the origin country, gets de-anonymized, and reaches the patient there.
  • Personally identifiable data may or may not be required for study or for data analytics purposes, what’s required is the health indicators of the individual, then the demographics, after which data can be analyzed to see trends, which may say there is so-and-so deficiency in this particular area. A PHI is exclusive to a person and has to be anonymized, but in India I’m not sure how much this actually happens.
  • Absolute anonymization may not be feasible or serve everybody’s purpose. For instance, if a doctor needs to see the medical records of a patient for the last three years, the hospital may not have stored the data in a format which is easily anonymize-able. It might just be a pdf file lying somewhere in which case the idea of anonymization is pointless.
  • Anonymization is the safeguard because of which we are supposed to trust the system. There have been positions taken when the patient’s consent isn’t required if the data is anonymized. The building blocks of anonymization was built on this. Why are we belittling the concept of consent? I may want to tell people around me about my disease but that doesn’t mean that someone sitting across the globe can use my data for purposes I did not think of when I gave consent. Under current laws, if I consent to give my organs, but after my death my kith and kin decide to not give my organs and their decision will prevail.

Written By

I cover health, policy issues such as intermediary liability, data governance, internet shutdowns, and more. Hit me up for tips.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



India and US come to terms on how to deal with the equalisation levy in light of the impending Global Tax Deal.


Find out how people’s health data is understood to have value and who can benefit from that value.


The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ