What is the difference between anonymization and de-identification?

Anonymization is the process of removing identifying information, making re-identification impossible. De-identification, however, can allow re-identification if certain controls are in place. Under HIPAA, both anonymization and de-identification are acceptable for research or other scientific purposes. 

What is anonymization?

Anonymization is the process of removing all personally identifiable information (PII) from a dataset. Anonymization ensures that the individuals to whom the data originally pertained cannot be re-identified, even with advanced techniques or additional data. In other words, anonymization is designed to make the data truly anonymous.

Key features of anonymization

• Irreversibility: Once data is anonymized, it is impossible to re-identify the individuals from whom it was collected.
• Complete removal of identifiers: All direct and indirect identifiers, such as names, addresses, phone numbers, and even unique patterns like browsing history, are removed or transformed.
• Compliance with privacy regulations: Anonymized data is often exempt from certain privacy laws because it is no longer considered personal data.

Example

Consider a dataset containing patient information from a hospital. If this data is anonymized, all information that could identify a specific patient—such as name, date of birth, medical record number, or specific treatment details—would be removed or altered so that re-identification is impossible.

See also: HIPAA Compliant Email: The Definitive Guide

What is de-identification?

De-identification involves modifying personal data so that the individuals in the dataset are not readily identifiable. Unlike anonymization, de-identification does not guarantee that re-identification is impossible. Instead, it reduces the risk of re-identification to an acceptable level, often through techniques such as data masking, pseudonymization, or data aggregation. 

According to the Department of Health and Human Services (HHS), HIPAA’s Privacy Rule allows covered entities or business associates to create non-identifiable information by following the de-identification standard and implementation specifications.

Key features of de-identification

• Reversibility: While de-identified data does not immediately identify individuals, it may still be possible to re-identify them if certain controls or additional data are available.
• Retention of some identifiers: De-identified data might retain certain elements, such as pseudonyms or generalized demographic information, making re-identification feasible under specific circumstances.
• Regulatory considerations: De-identified data is still considered personal data under many privacy laws, meaning that organizations must protect it from unauthorized access or misuse.

Example

If the same hospital dataset is de-identified, patient names and medical record numbers might be replaced with pseudonyms, and specific treatment dates might be generalized to a broader time range. While the data is less identifiable, someone with access to additional information or sophisticated techniques might still be able to re-identify individual patients.

Related: How to de-identify protected health information for privacy

Why the distinction matters

The distinction between anonymization and de-identification is not just academic; it has practical implications for data privacy and security. Anonymized data, due to its irreversible nature, can often be used more freely, as it poses little risk to individual privacy. However, because it retains some level of identifiability, de-identified data must be handled with more caution and may still be subject to privacy regulations.

Organizations must carefully choose between anonymization and de-identification based on their specific needs and the level of privacy protection required. In cases where the goal is to maximize data utility while minimizing risk de-identification is the preferred choice. In other cases, where the highest level of privacy protection is necessary, anonymization may be the only acceptable option.

FAQs

What are some challenges in achieving true anonymization?

Challenges in achieving true anonymization include:

• The complexity of data: Complex datasets with multiple variables can be difficult to anonymize.
• Data linkage: Even without identifiers, combining anonymized datasets with other data sources can sometimes lead to re-identification.
• Advanced re-identification techniques: As data science advances, new methods for re-identifying anonymized data are continually being developed, raising the bar for what constitutes true anonymization.

Can anonymization or de-identification be applied to all types of data?

Anonymization and de-identification can be applied to many types of data, including structured data (like databases) and unstructured data (like text documents). However, the effectiveness of these processes depends on the nature of the data. For instance, anonymizing free text data or images can be more challenging due to the complexity of identifying and removing all potential identifiers.