Zhou Tian-shu,Li Peng-fei,Li Jing-song

DOI: https://doi.org/10.2991/ccis-13.2013.56

2013-01-01

Abstract:Since the health information exchange (HIE) becomes more and more important and numerous systems have been implemented among medical institutions and regions, there also grows the concern of data security and privacy protection. In the prior work, we have designed and developed an international clinical data exchange system named Global Dolphin, technically achieving the goal of health information exchange between China and Japan. However, to put the system into practical use, we have to take the different privacy protection rules into account. In the clinical data exchange implementation, we tried to conform to the stricter privacy protection standards and designed a protected health information (PHI) de-identification system to keep the personal information secure from third parties. Since China and Japan do not yet have detailed rules and guidelines such as the safe harbor method in Health Insurance Portability and Accountability Act (HIPAA), thus we have referenced some of the HIPAA rules and guidelines about PHI, and used a dictionary and regular expressions pattern matching de-identification means to protect personal privacy.

Doyel Pal,Tingting Chen,Sheng Zhong,Praveen Khethavath

DOI: https://doi.org/10.2196/medinform.3090

IF: 3.2

2014-01-01

JMIR Medical Informatics

Abstract:BACKGROUND:Linking medical records across different medical service providers is important to the enhancement of health care quality and public health surveillance. In records linkage, protecting the patients' privacy is a primary requirement. In real-world health care databases, records may well contain errors due to various reasons such as typos. Linking the error-prone data and preserving data privacy at the same time are very difficult. Existing privacy preserving solutions for this problem are only restricted to textual data.OBJECTIVE:To enable different medical service providers to link their error-prone data in a private way, our aim was to provide a holistic solution by designing and developing a medical record linkage system for medical service providers.METHODS:To initiate a record linkage, one provider selects one of its collaborators in the Connection Management Module, chooses some attributes of the database to be matched, and establishes the connection with the collaborator after the negotiation. In the Data Matching Module, for error-free data, our solution offered two different choices for cryptographic schemes. For error-prone numerical data, we proposed a newly designed privacy preserving linking algorithm named the Error-Tolerant Linking Algorithm, that allows the error-prone data to be correctly matched if the distance between the two records is below a threshold.RESULTS:We designed and developed a comprehensive and user-friendly software system that provides privacy preserving record linkage functions for medical service providers, which meets the regulation of Health Insurance Portability and Accountability Act. It does not require a third party and it is secure in that neither entity can learn the records in the other's database. Moreover, our novel Error-Tolerant Linking Algorithm implemented in this software can work well with error-prone numerical data. We theoretically proved the correctness and security of our Error-Tolerant Linking Algorithm. We have also fully implemented the software. The experimental results showed that it is reliable and efficient. The design of our software is open so that the existing textual matching methods can be easily integrated into the system.CONCLUSIONS:Designing algorithms to enable medical records linkage for error-prone numerical data and protect data privacy at the same time is difficult. Our proposed solution does not need a trusted third party and is secure in that in the linking process, neither entity can learn the records in the other's database.

Jiang Bian,Alexander Loiacono,Andrei Sura,Tonatiuh Mendoza Viramontes,Gloria Lipori,Yi Guo,Elizabeth Shenkman,William Hogan

DOI: https://doi.org/10.1093/jamiaopen/ooz050

2019-01-01

JAMIA Open

Abstract:Objective: To implement an open-source tool that performs deterministic privacy-preserving record linkage (RL) in a real-world setting within a large research network. Materials and Methods: We learned 2 efficient deterministic linkage rules using publicly available voter registration data. We then validated the 2 rules' performance with 2 manually curated gold-standard datasets linking electronic health records and claims data from 2 sources. We developed an open-source Python-based tool-OneFL Deduper-that (1) creates seeded hash codes of combinations of patients' quasi-identifiers using a cryptographic one-way hash function to achieve privacy protection and (2) links and deduplicates patient records using a central broker through matching of hash codes with a high precision and reasonable recall. Results: We deployed the OneFl Deduper (https://github.com/ufbmi/onefl-deduper) in the OneFlorida, a state-based clinical research network as part of the national Patient-Centered Clinical Research Network (PCORnet). Using the gold-standard datasets, we achieved a precision of 97.25 similar to 99.7% and a recall of 75.5%. With the tool, we deduplicated similar to 3.5 million (out of similar to 15 million) records down to 1.7 million unique patients across 6 health care partners and the Florida Medicaid program. We demonstrated the benefits of RL through examining different disease profiles of the linked cohorts. Conclusions: Many factors including privacy risk considerations, policies and regulations, data availability and quality, and computing resources, can impact how a RL solution is constructed in a real-world setting. Nevertheless, RL is a significant task in improving the data quality in a network so that we can draw reliable scientific discoveries from these massive data resources.

Alisia Southwell,Susan Bronskill,Tom Gee,Brendan Behan,Susan Gilbert Evans,Tom Mikkelsen,Elizabeth Theriault,Kirk Nylen,Shannon Lefaivre,Nelson Chong,Mahmoud Azimaee,Natasa Tusevljak,Doug Lee,Richard H Swartz

DOI: https://doi.org/10.23889/ijpds.v7i4.1755

2022-11-22

Abstract:Introduction: Research data combined with administrative data provides a robust resource capable of answering unique research questions. However, in cases where personal health data are encrypted, due to ethics requirements or institutional restrictions, traditional methods of deterministic and probabilistic record linkages are not feasible. Instead, privacy-preserving record linkages must be used to protect patients' personal data during data linkage. Objectives: To determine the feasibility and validity of a deterministic privacy preserving data linkage protocol using homomorphically encrypted data. Methods: Feasibility was measured by the number of records that successfully matched via direct identifiers. Validity was measured by the number of records that matched with multiple indirect identifiers. The threshold for feasibility and validity were both set at 95%. The datasets shared a single, direct identifier (health card number) and multiple indirect identifiers (sex and date of birth). Direct identifiers were encrypted in both datasets and then transferred to a third-party server capable of linking the encrypted identifiers without decrypting individual records. Once linked, the study team used indirect identifiers to verify the accuracy of the linkage in the final dataset. Results: With a combination of manual and automated data transfer in a sample of 8,128 individuals, the privacy-preserving data linkage took 36 days to match to a population sample of over 3.2 million records. 99.9% of the records were successfully matched with direct identifiers, and 99.8% successfully matched with multiple indirect identifiers. We deemed the linkage both feasible and valid. Conclusions: As combining administrative and research data becomes increasingly common, it is imperative to understand options for linking data when direct linkage is not feasible. The current linkage process ensured the privacy and security of patient data and improved data quality. While the initial implementations required significant computational and human resources, increased automation keeps the requirements within feasible bounds.

Shumin Han,Derong Shen,Tiezheng Nie,Yue Kou,Ge Yu

DOI: https://doi.org/10.3233/jifs-191064

2020-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Matching similar records from different databases to prevent duplication in a private manner has attracted plenty of attention, which is referred to as Private Entity Matching (PEM). In spite of various approaches having been proposed to solve this problem, private linking numerical data such as integer (e.g. age), floating point (e.g. body mass index) from multiple databases is an urgent gap, which is commonly required in health domain, statistical departments and more. Hence, this paper targets at solving the problem of linking numerical data from three or more sources in an efficient and secure way. Firstly, we introduce a novel homomorphic encryption method constrained similar modul, which provides strong privacy to encrypt numerical data in the range of real numbers. Then, to avoid frequent decryptions in the homomorphic encryption schema, we draw an inference about the encryption keys. Finally, an accelerated algorithm is proposed to reduce the complexity of multi-party numerical records matching. Our approach is considered absolute safety that no party learns any sensitive information of the others in the absence of collusion. Experiments on two real-world health information databases of patient records validate our approach with regards to the efficiency improvement and at the same time, at no the sacrifice of linkage quality.

Chaoyi Pang,Lifang Gu,David Hansen,Anthony Maeder

DOI: https://doi.org/10.1007/978-3-642-00179-6_5

2009-01-01

Abstract:In this paper we address the problem of matching data from different databases using a third party, where the actual data can not be disclosed. The aim is to provide a mechanism for improved matching results across databases while preserving the privacy of sensitive information in those databases. This is particularly relevant with health related databases, where bringing data about patients together from multiple databases allows for important medical research, but the sensitive nature of the data requires that identifying information never be disclosed.The method described uses a public reference table to provide a way for matching people's names in different databases without requiring identifying information to be revealed to any party outside the originating data source. An advantage of our algorithm is that it provides a mechanism for dealing with typographical or other errors in the data.The key features of our proposed approach are: (1) original private data from individual custodians are never revealed to any other party because data comparison is performed at individual custodians and only comparison results, which are data in the reference table, are sent; (2) the third party performs the match based on encrypted values in the public reference table and some distance information. Experimental results show that our proposed method performs fuzzy matching (similarity join) at an accuracy comparable to that of conventional fuzzy matching algorithms without revealing any identifying information.

Sirintra Vaiwsri,Thilina Ranbaduge,Peter Christen

DOI: https://doi.org/10.1016/j.jisa.2024.103712

IF: 4.96

2024-01-27

Journal of Information Security and Applications

Abstract:Accurate and secure string matching in record linkage is increasingly important in application domains such as bioinformatics, healthcare, and crime detection. Most existing privacy-preserving string matching techniques provide an overall similarity between a pair of strings. As a result, these techniques cannot identify the longest common sub-string between the strings in a pair leading to lower linkage quality, while existing techniques that can identify the longest common sub-string from a pair of strings have long runtimes. While blocking techniques that can be used in the record linkage pipeline improve the time complexity, each string is generally inserted into several blocks making it vulnerable to frequency based attacks. In this paper, we propose two encryption-based approaches to improve the effectiveness and efficiency of string matching in record linkage. Our approaches compare strings based on their lengths of sub-strings. In the first approach, we encrypt the sub-string lengths into individual ciphertexts and compare a pair of ciphertexts based on the corresponding sub-string. In the second approach, we encrypt multiple lengths of sub-strings into a single ciphertext that allows efficient comparison of ciphertexts. We evaluate our approaches on real-world datasets and validate the accuracy, complexity, and privacy compared to four baselines, showing that our approaches outperform all baselines in terms of complexity and privacy while providing higher linkage quality than a standard privacy-preserving record linkage technique.

computer science, information systems

Max Ostermann,Igor Nesterow,Markus Wolfien

DOI: https://doi.org/10.3233/SHTI240340

2024-08-22

Abstract:Over the last decade, the exponential growth in patient data volume and velocity has transformed it into a valuable resource for researchers. Yet, accessing comprehensive, unique patient data sets remains a challenge, particularly when individuals have received treatments across various practices and hospitals. Traditional record linkage methods fall short in adequately protecting patient privacy in these scenarios. Privacy Preserving Record Linkage (PPRL) offers a solution, employing techniques such as data cryptographic methods to identify common patients occurring in multiple datasets, while maintaining the privacy of other patients. This paper proposes an investigation into combined approaches of two common German PPRL tools, namely E-PIX and MainSEL. Each tool, while aiming for 'privacy preservation', employs distinct methods that offer unique advantages and drawbacks. Our research aims to explore these in a combined approach to leverage their respective strengths and mitigate their limitations. We anticipate that this synergistic approach will not only enhance data privacy but also allow for easier synchronisation of research data. This study is particularly pertinent in light of evolving privacy regulations and the increasing complexity of healthcare data management. By advancing PPRL methodologies, we aim to contribute to more robust, privacy-compliant data analysis practices in healthcare research.

S J Clark,M Halter,A Porter,H C Smith,M Brand,R Fothergill,S J Lindridge,M McTigue,H Snooks

DOI: https://doi.org/10.23889/ijpds.v4i1.1104

2019-08-05

Abstract:Introduction: Routine linkage of emergency ambulance records with those from the emergency department is uncommon in the UK. Our study, known as the Pre-Hospital Emergency Department Data Linking Project (PHED Data), aimed to link records of all patients conveyed by a single emergency ambulance service to thirteen emergency departments in the UK from 2012-2016. Objectives: We aimed to examine the feasibility and resource requirements of collecting de-identified emergency department patient record data and, using a deterministic matching algorithm, linking it to ambulance service data. Methods: We used a learning log to record contacts and activities undertaken by the research team to achieve data linkage. We also conducted semi-structured interviews with information management/governance staff involved in the process. Results: We found that five steps were required for successful data linkage for each hospital trust. The total time taken to achieve linkage was a mean of 65 weeks. A total of 958,057 emergency department records were obtained and, of these, 81% were linked to a corresponding ambulance record. The match rate varied between hospital trusts (50%-94%). Staff expressed strong enthusiasm for data linkage. Barriers to successful linkage were mainly due to inconsistencies between and within acute trusts in the recording of two ambulance event identifiers (CAD and call sign). Further data cleaning was required on emergency department fields before full analysis could be conducted. Ensuring the data was not re-identifiable limited validation of the matching method. Conclusion: We conclude that deterministic record linkage based on the combination of two event identifiers (CAD and call sign) is possible. There is an appetite for data linkage in healthcare organisations but it is a slow process. Developments in standardising the recording of emergency department data are likely to improve the quality of the resultant linked dataset. This would further increase its value for providing evidence to support improvements in health care delivery. Highlights: Ambulance records are rarely linked to other datasets; this study looks at the feasibility and resource requirement to use deterministic matching to link ambulance and emergency department data for patients conveyed by ambulance to the emergency department.It is possible to link these data, with an average match rate of 81% across 13 emergency departments and one large ambulance trust.All trusts approached provided match-able data and there was an appetite for data linkage; however, it was a long process taking an average of 65 weeks.We conclude that deterministic matching using no patient identifiers can be used in this setting.

Sean Randall,Adrian Brown,Anna Ferrante,James Boyd,Suzanne Robinson

DOI: https://doi.org/10.1016/j.ijmedinf.2024.105582

2024-07-31

Abstract:Objective: To describe the use of privacy preserving linkage methods operationally in Australia, and to present insights and key learnings from their implementation. Methods: Privacy preserving record linkage (PPRL) utilising Bloom filters provides a unique practical mechanism that allows linkage to occur without the release of personally identifiable information (PII), while still ensuring high accuracy. Results: The methodology has received wide uptake within Australia, with four state linkage units with privacy preserving capability. It has enabled access to general practice and private pathology data amongst other, both much sought after datasets previous inaccessible for linkage. Conclusion: The Australian experience suggests privacy preserving linkage is a practical solution for improving data access for policy, planning and population health research. It is hoped interest in this methodology internationally continues to grow.

Hye-Chung Kum,Ashok Krishnamurthy,Ashwin Machanavajjhala,Michael K Reiter,Stanley Ahalt

DOI: https://doi.org/10.1136/amiajnl-2013-002165

Abstract:Objective: Record linkage to integrate uncoordinated databases is critical in biomedical research using Big Data. Balancing privacy protection against the need for high quality record linkage requires a human-machine hybrid system to safely manage uncertainty in the ever changing streams of chaotic Big Data. Methods: In the computer science literature, private record linkage is the most published area. It investigates how to apply a known linkage function safely when linking two tables. However, in practice, the linkage function is rarely known. Thus, there are many data linkage centers whose main role is to be the trusted third party to determine the linkage function manually and link data for research via a master population list for a designated region. Recently, a more flexible computerized third-party linkage platform, Secure Decoupled Linkage (SDLink), has been proposed based on: (1) decoupling data via encryption, (2) obfuscation via chaffing (adding fake data) and universe manipulation; and (3) minimum information disclosure via recoding. Results: We synthesize this literature to formalize a new framework for privacy preserving interactive record linkage (PPIRL) with tractable privacy and utility properties and then analyze the literature using this framework. Conclusions: Human-based third-party linkage centers for privacy preserving record linkage are the accepted norm internationally. We find that a computer-based third-party platform that can precisely control the information disclosed at the micro level and allow frequent human interaction during the linkage process, is an effective human-machine hybrid system that significantly improves on the linkage center model both in terms of privacy and utility.

Han Shumin,Shen Derong,Nie Tiezheng,Kou Yue,Yu Ge

DOI: https://doi.org/10.1007/s10586-022-03590-7

2022-01-01

Cluster Computing

Abstract:For the purpose of research, organizations often need to share and link data that belongs to a single individual while protecting the privacy, which is referred to as privacy preserving record linkage (PPRL). Various approaches have been developed to tackle this problem, however, it is still a challenging task due to the massive amount of data, multiple data sources, and ‘dirty’ data. Therefore, in this paper, an enhanced approximate multi-party PPRL (MP-PPRL) approach is proposed to improve privacy, scalability, and linkage quality. For privacy, bloom filter (BF) is a better and more efficient masking techniques than others so far. Thus, the records are encoded into BFs to ensure privacy. However, BFs may be compromised through frequency-based attacks. To enhance privacy, a distributed protocol that introduces multiple linkage units (Multi-LUs) to resist frequency-based attacks is proposed. In scalability, we develop a blocking technique based on sorted nearest neighborhood (SNN) approach for clustering similar BFs across multiple databases, called BF-SNN, which dramatically reduces complexity. In linkage quality, a personalized threshold that varies with different levels of ‘dirty’ data is introduced, which provides a more accurate error-tolerance for ‘dirty’ data and consequently improves linkage quality. An analysis and an empirical study are conducted on large real-world datasets to show the benefit of the proposed approach.

Jiawei Yuan,Bradley Malin,Francois Modave,Yi Guo,William R. Hogan,Elizabeth Shenkman,Jiang Bian

DOI: https://doi.org/10.1016/j.jbi.2016.12.008

IF: 8

2017-01-01

Journal of Biomedical Informatics

Abstract:Background: The last few years have witnessed an increasing number of clinical research networks (CRNs) focused on building large collections of data from electronic health records (EHRs), claims, and patient-reported outcomes (PROs). Many of these CRNs provide a service for the discovery of research cohorts with various health conditions, which is especially useful for rare diseases.Background: Supporting patient privacy can enhance the scalability and efficiency of such processes; however, current practice mainly relies on policy, such as guidelines defined in the Health Insurance Portability and Accountability Act (HIPAA), which are insufficient for CRNs (e.g., HIPAA does not require encryption of data which can mitigate insider threats). By combining policy with privacy enhancing technologies we can enhance the trustworthiness of CRNs. The goal of this research is to determine if searchable encryption can instill privacy in CRNs without sacrificing their usability.Methods: We developed a technique, implemented in working software to enable privacy-preserving cohort discovery (PPCD) services in large distributed CRNs based on elliptic curve cryptography (ECC). This technique also incorporates a block indexing strategy to improve the performance (in terms of computational running time) of PPCD. We evaluated the PPCD service with three real cohort definitions: (1) elderly cervical cancer patients who underwent radical hysterectomy, (2) oropharyngeal and tongue cancer patients who underwent robotic transoral surgery, and (3) female breast cancer patients who underwent mastectomy) with varied query complexity. These definitions were tested in an encrypted database of 7.1 million records derived from the publically available Healthcare Cost and Utilization Project (HCUP) Nationwide Inpatient Sample (NIS). We assessed the performance of the PPCD service in terms of (1) accuracy in cohort discovery, (2) computational running time, and (3) privacy. afforded to the underlying records during PPCD.Results: The empirical results indicate that the proposed PPCD can execute cohort discovery queries in a reasonable amount of time, with query runtime in the range of 165-262 s for the 3 use cases, with zero compromise in accuracy. We further show that the search performance is practical because it supports a highly parallelized design for secure evaluation over encrypted records. Additionally, our security analysis shows that the proposed construction is resilient to standard adversaries.Conclusions: PPCD services can be designed for clinical research networks. The security construction presented in this work specifically achieves high privacy guarantees by preventing both threats originating from within and beyond the network. (C) 2016 Elsevier Inc. All rights reserved.

N. IJzerman,P. Lin,M. IJzerman,U. Aickelin

DOI: https://doi.org/10.1016/j.jval.2020.04.1206

IF: 5.156

2020-01-01

Value in Health

Abstract:The use of administrative and claims data for health outcomes research has greatly increased in recent years. In many studies, however, multiple data sources are required to be linked, known as record linkage. Multiple methods for record linkage have been developed and tested, mostly using probabilistic (PRL) and deterministic linkage (DRL). Both DRL and PRL use attribute (e.g. name, year, ID) information to link records. This simulation study evaluates if the use of structural information, that is being obtained by representing records as nodes in network graphs using REGAL (REpresentation learning-based Graph ALignment), is useful in record linkage when attributes are largely missing or messy. The simulation study is performed using Python software with Jellyfish library add-on. Data used to simulate different scenarios was obtained from two publicly available set of academic publications with 2,294 and 2,616 records obtained from the Leipzig Database Group. Simulated scenarios were based on the change in accuracy following including attribute information on top of the graphical information from the REGAL algorithm. % accuracy was calculated as the ratio between the true positive linkages to the total number of linkages. By using structural information alone, the accuracy ranged from 2% to 39%. By adding attribute information on top of structural information, the accuracy increased to 63%. Generally, combined use of structural and attribute information was able to return a higher % of accurate linkages. Revising and adjusting the network alignment algorithm could account for more accurate linkages. It is concluded that adding attribute information on top of structural information increases accuracy of record linkage. There is room to further improve the alignment process, in particular to improve the accuracy for node pairs that have differences in connectedness across graphs. The implications of these findings for health outcomes research will be discussed.

M G Arellano,G I Weber

Abstract:Historically, the health information systems community has viewed linking personal records as a mundane task. The oversimplified view that routine database manipulation can accurately identify multiple records for a single individual is erroneous, an assumption based on a misperception of the quality of the underlying data. Such data have been adversely affected by the evolution of individual facility patient indexes from multiple systems and the results of backload procedures, and the lack of focus on the need for data integrity by users of the automated systems. Much of the random, invalid data we identify on a daily basis is directly associated with the need for system users to place data in the patient record while they face the situation of having no obvious data field in which to place them. Combined with an underlying lack of standards for the collection of personal identification information, this results in pure chaos when reviewing an MPI file containing a million records at the start of a linkage evaluation project. We have documented the considerable effort that must therefore be made in standardizing the MPI files using stringent analytical procedures and applying common edit routines before commencing record linkage. This preprocessing effort must then be supplemented with sophisticated matching procedures that can handle the dual challenge of minimizing false negatives (the failure to identify true linkages) and false positives (the incorrect linking of records that do not represent the same person). The identification of pairs of linked records does not, however, complete an EPI loading. Because it is fairly common for a multiple facility linkage evaluation to identify more than two medical record numbers for the same patient, and the primary goal of an EPI is to assign a unique identifier for the patient which will link that patient's multiple files, it becomes necessary to develop a means of readily associating three or more records for the same patient. One approach we have used with great success is to assign a common, sequential identification number to all linked medical record numbers for the same patient regardless of facility. The assignment of linkage identification numbers is computer-intensive and is generally accomplished with a highly iterative process. Both system memory and hard disk resources are fully tested as the number of good linkages in an overlap evaluation reaches the half-million mark or greater. Because the primary linkage analysis goal is to develop linkages on pairs of records, with confidence levels based on the comparison of information for those two records, thresholds must be set to decide which linkages should be accepted as true without any human evaluation. If the threshold is set too low, the defined linkage groups may incorrectly join the medical record numbers for different persons. But if the threshold is set too high, there will be undesired duplication of persons in the enterprise system. As in the identification of the underlying linkage pairs, the development of a confidence measure greatly facilitates the assignment of the unique identification numbers needed in the EPI implementation.

Umberto Tachinardi,Shaun J Grannis,Sam G Michael,Leonie Misquitta,Jayme Dahlin,Usman Sheikh,Abel Kho,Jasmin Phua,Sara S Rogovin,Benjamin Amor,Maya Choudhury,Philip Sparks,Amin Mannaa,Saad Ljazouli,Joel Saltz,Fred Prior,Ahmen Baghal,Kenneth Gersing,Peter J Embi

DOI: https://doi.org/10.1002/lrh2.10404

2024-01-11

Abstract:Introduction: Research driven by real-world clinical data is increasingly vital to enabling learning health systems, but integrating such data from across disparate health systems is challenging. As part of the NCATS National COVID Cohort Collaborative (N3C), the N3C Data Enclave was established as a centralized repository of deidentified and harmonized COVID-19 patient data from institutions across the US. However, making this data most useful for research requires linking it with information such as mortality data, images, and viral variants. The objective of this project was to establish privacy-preserving record linkage (PPRL) methods to ensure that patient-level EHR data remains secure and private when governance-approved linkages with other datasets occur. Methods: Separate agreements and approval processes govern N3C data contribution and data access. The Linkage Honest Broker (LHB), an independent neutral party (the Regenstrief Institute), ensures data linkages are robust and secure by adding an extra layer of separation between protected health information and clinical data. The LHB's PPRL methods (including algorithms, processes, and governance) match patient records using "deidentified tokens," which are hashed combinations of identifier fields that define a match across data repositories without using patients' clear-text identifiers. Results: These methods enable three linkage functions: Deduplication, Linking Multiple Datasets, and Cohort Discovery. To date, two external repositories have been cross-linked. As of March 1, 2023, 43 sites have signed the LHB Agreement; 35 sites have sent tokens generated for 9 528 998 patients. In this initial cohort, the LHB identified 135 037 matches and 68 596 duplicates. Conclusion: This large-scale linkage study using deidentified datasets of varying characteristics established secure methods for protecting the privacy of N3C patient data when linked for research purposes. This technology has potential for use with registries for other diseases and conditions.

Elise H Lawson,Clifford Y Ko,Rachel Louie,Lein Han,Michael Rapp,David S Zingmond

DOI: https://doi.org/10.1016/j.surg.2012.08.065

IF: 4.348

Surgery

Abstract:Background: A variety of data sources are available for measuring the quality of health care. Linking records from different sources can create unique and powerful databases that can be used to evaluate clinically relevant questions and direct health care policy. The objective of this study was to develop and validate a deterministic linkage algorithm that uses indirect patient identifiers to reliably match records from a surgical clinical registry with Medicare inpatient claims data. Methods: Patient records from the American College of Surgeons National Surgical Quality Improvement Program (ACS-NSQIP), years 2005-2008, were linked to claims data in the Medicare Provider Analysis and Review file (MedPAR) by the use of a deterministic linkage algorithm and the following indirect patient identifiers: hospital, age, sex, diagnosis, procedure and dates of admission, discharge, and procedure. We validated the linkage procedure by systematically reviewing subsets of matched and unmatched records and by determining agreement on patient-level coding of inpatient mortality. Results: Of the 150,454 records in ACS-NSQIP eligible for matching, 80.5% were linked to a MedPAR record. This percentage is within the expected match range given the estimated percentage of ACS-NSQIP patients likely to be Medicare beneficiaries. Systematic checks revealed no evidence of bias in the linkage procedure and there was excellent agreement on patient-level coding of mortality (kappa 0.969). The final linked database contained 121,070 patient records from 217 hospitals. Conclusion: This study demonstrates the feasibility and validity of a method for linking 2 data sources without direct personal identifiers. As clinical registries and other data sources continue to proliferate, linkage algorithms such as described here will be critical for quality measurement purposes.

Zigang Wu,Haijiang Wang,Jian Wan,Lei Zhang,Jie Huang

DOI: https://doi.org/10.1109/access.2024.3400611

IF: 3.9

2024-05-22

IEEE Access

Abstract:Searchable encryption is widely used in electronic health record systems because it enables users to search ciphertext data without decryption. However, the existing traditional searchable encryption schemes lack fine-grained access policies with wildcards in electronic health record systems. And they also do not consider the problem of hiding policies, as well as the problem of incomplete search results caused by cloud servers. In order to solve all the above problems, this paper proposes a blockchain-aided attribute-based searchable scheme with the properties of inner product predicate. In the proposed scheme, the attribute encryption mechanism implements fine-grained access policies with wildcards, which improves the data owner's ability to control access authorization precisely. Introducing the inner product predicate not only achieves fully hidden access policies but also prevents the leakage of sensitive medical data. The immutability of the blockchain ensures the integrity of multi-keyword search results, guaranteeing reliable data sharing. Finally, the security proof and the performance evaluation are conducted to confirm the security and effectiveness of the proposed scheme.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lucila Ohno-Machado,Xiaoqian Jiang,Tsung-Ting Kuo,Shiqiang Tao,Luyao Chen,Guo-Qiang Zhang,Hua Xu,Pritham M. Ram

DOI: https://doi.org/10.1016/j.jbi.2023.104322

IF: 8

2023-03-01

Journal of Biomedical Informatics

Abstract:Linking data across studies offers an opportunity to enrich data sets and provide a stronger basis for data-driven models for biomedical discovery and/or prognostication. Several techniques to link records have been proposed, and some have been implemented across data repositories holding molecular and clinical data. Not all these techniques guarantee appropriate privacy protection; there are trade-offs between (a) simple strategies that can be associated with data that will be linked and shared with any party and (b) more complex strategies that preserve the privacy of individuals across parties. We propose an intermediary, practical strategy to support linkage in studies that share de-identified data with Data Coordinating Centers. This technology can be extended to link data across multiple data hubs to support privacy preserving record linkage, considering data coordination centers and their awardees, which can be extended to a hierarchy of entities (e.g., awardees, data coordination centers, data hubs, etc.) b.

medical informatics,computer science, interdisciplinary applications

Shumin Han,Derong Shen,Tiezheng Nie,Yue Kou,Ge Yu

DOI: https://doi.org/10.1007/s41019-017-0041-5

2017-01-01

Data Science and Engineering

Abstract:The process of matching and integrating records that relate to the same entity from one or more datasets is known as record linkage, and it has become an increasingly important subject in many application areas, including business, government and health system. The data from these areas often contain sensitive information. To prevent privacy breaches, ideally records should be linked in a private way such that no information other than the matching result is leaked in the process, and this technique is called privacy-preserving record linkage (PPRL). With the increasing data, scalability becomes the main challenge of PPRL, and many private blocking techniques have been developed for PPRL. They are aimed at reducing the number of record pairs to be compared in the matching process by removing obvious non-matching pairs without compromising privacy. However, most of them are designed for two databases and they vary widely in their ability to balance competing goals of accuracy, efficiency and security. In this paper, we propose a novel private blocking approach for PPRL based on dynamic k-anonymous blocking and Paillier cryptosystem which can be applied on two or multiple databases. In dynamic k-anonymous blocking, our approach dynamically generates blocks satisfying k-anonymity and more accurate values to represent the blocks with varying k. We also propose a novel similarity measure method which performs on the numerical attributes and combines with Paillier cryptosystem to measure the similarity of two or more blocks in security, which provides strong privacy guarantees that none information reveals even collusion. Experiments conducted on a public dataset of voter registration records validate that our approach is scalable to large databases and keeps a high quality of blocking. We compare our method with other techniques and demonstrate the increases in security and accuracy.