Avoiding disclosure of individually identifiable health information: a literature review

Abowd, J. M., & Lane, J. (2004). New approaches to confidentiality protection: Synthetic data, remote access and research data centers. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.85.3083

Abowd, J. M., Stinson, M., & Benedetto, G. (2006). Final report to the social security administration on the SIPP/SSA/IRS public use file project. Retrieved from http://www.bls.census.gov/sipp/synth\_data.html

Abowd, J. M., & Woodcock, S. D. (2002). Disclosure limitation in longitudinal linked data. In P. Doyle, J. I. Lane, J. J. Theeuwes, & L. V. Zayatz (Eds.), Confidentiality, disclosure, and data access (pp. 215-278). Amsterdam, Netherlands: North Holland.

Agrawal, R., & Srikant, R. (2000). Privacy-preserving data mining. In Proceedings ACM SIGMOD International Conference on Management of Data (pp. 439-450). Dallas, TX.

Alexander, T., Davern, M., & Stevenson, B. (2010). Inaccurate age and sex data in the census PUMS files: Evidence and implications. Public Opinion Quarterly, 74, 551-569.

Algranati, D., & Kadane, J. (2004). Extracting confidential information from public documents: The 2000 Department of Justice Report on the federal use of the death penalty in the United States. Journal of Official Statistics, 20, 97-113.

Anderson, M., & Seltzer, W. (2009). Federal statistical confidentiality and business data: Twentieth century challenges and continuing issues. Journal of Privacy and Confidentiality, 1, 7-52.

Bacher, J., Brand, R., & Bender, S. (2002). Re-identifying register data by survey data using cluster analysis: An empirical study. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10, 589-607.

Benedetti, R., & Franconi, L. (1998). Statistical and technological solutions for controlled data dissemination. In Pre-proceedings of New Techniques and Technologies for Statistics, 1, 225-232. Retrieved from http://neon.vb.cbs.nl/casc/Software/MuManual4.2.pdf

Benitez, K., & Malin, B. (2010). Evaluating re-identification risks with respect to the HIPAA privacy rule. Journal of the American Medical Informatics Association, 17, 169-177.

Bethlehem, J. G., Keller, W. J., & Pannekoek, J. (1990). Disclosure control of microdata. Journal of the American Statistical Association, 85, 38-45.

Bradburn, N., & Straf, M. (2003). The eleventh Morris Hansen lecture information and statistical data: A distinction with a difference. Journal of Official Statistics, 19, 321-331.

Brickell, J., & Shmatikov, V. (2008). The cost of privacy: Destruction of data-mining utility in anonymized data publishing. In Proceedings of 14th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD) (pp.70-78). Retrieved from http://www.cs.utexas.edu/~shmat/

Chen, B., Kifer, D., LeFevre, K., & Machanavajjhala, A. (2009). Privacy-preserving data publishing. Foundations and Trends in Databases, 2, 1-167.

Chen, G., & Keller-McNulty, S. (1998). Estimation of deidentification disclosure risk in microdata. Journal of Official Statistics, 14, 79-95.

European Communities. (1998). Statistical data protection ’98. In Proceeding by Office of Official Publications, Statistical Office of the European Communities. Retrieved from http://epp.eurostat.ec.europa.eu/portal/page/portal/eurostat/home

Confidentiality and Data Access Committee. (2005). Federal committee on statistical methodology (Statistical Policy Working Paper No. 22). Retrieved from http://www.fcsm.gov/committees/cdac/ cdac.html

Couper, M., Singer, E., Conrad, F., & Groves, R. (2008). Risk of disclosure, perceptions of risk, and concerns about privacy and confidentiality as factors in survey participation. Journal of Official Statistics, 24, 255-275.

Couper, M., Singer, E., Conrad, F., & Groves, R. (2010). Experimental studies of disclosure risk, disclosure harm, topic sensitivity, and survey participation. Journal of Official Statistics, 26, 287-300.

Dalenius, T. (1977). Toward a methodology for statistical disclosure control. Statistik Tidskrift, 15, 429-444.

Dalenius, T. (1988). Controlling invasion of privacy in surveys. Stockholm: Statistics Sweden.

Dalenius, T., & Reiss, S. P. (1982). Data-swapping: A technique for disclosure control. Journal of Statistical Planning and Inference, 6, 73-85.

Domingo-Ferrer, J. (2002). Privacy in statistical databases (LNCS 2316). Springer. Retrieved from http://www.springer.com/computer/theoretical+computer+science/book/978-3-540-43614-0

Domingo-Ferrer, J., & Franconi, L. (2006). Privacy in statistical databases (LNCS 4302). Springer. Retrieved from http://www.springer.com/computer/database+management+%26+information+retrieval/book/978-3-540-49330-3?changeHeader

Domingo-Ferrer, J., & Magkos, E. (2010). Privacy in statistical databases (LNCS 6344). Springer. Retrieved from http://www.springer.com/computer/database+management+%26+information+retrieval/book/978-3-642-15837-7?changeHeader

Domingo-Ferrer, J., & Saygin, Y. (2008). Privacy in statistical databases (LNCS 5262). Springer. Retrieved from http://www.springer.com/computer/database+management+%26+information+retrieval/book/978-3-540-87470-6?changeHeader

Domingo-Ferrer, J., Sebe, F., & Castella-Roca, J. (2004). On the security of noise addition for privacy in statistical databases. In J. Domingo-Ferrer & V. Torra (Eds.), Privacy in statistical databases 2004 (LNCS 3050) (pp. 149-161). Verlag Berlin Heidelberg: Springer.

Domingo-Ferrer, J., & Torra, V. (2003). Disclosure risk assessment in statistical microdata protection via advanced record linkage. Statistics and Computing, 13, 343-354.

Domingo-Ferrer, J., & Torra, V. (2004). Privacy in statistical databases (LNCS 3050). Springer. Retrieved from http://www.springer.com/computer/database+management+%26+information+retrieval/book/978-3-540-22118-0?changeHeader

Duncan, G. T., Elliot, M., & Salazar-González, J. (2011). Statistical confidentiality: Principles and practice. New York, NY: Springer

Duncan, G. T., Jabine, T. B., & de Wolf, V. A. (1993). Private lives and public policies. Washington, DC: National Academy Press.

Dwork, C. (2006). Differential privacy. In 33rd International Colloquium on Automata, Languages and Programming, part II. Venice, Italy: Springer-Verlag.

Dwork, C., & Naor, M. (2010). On the difficulties of disclosure prevention in statistical database or the case for differential privacy. Journal of Privacy and Confidentiality, 2, 93-107.

El Emam, K. (2011). Methods for the de-identification of electronic health records for genomic research. Genome Medicine, 3, 1-9.

El Emam, K., Brown, A., AbdelMalik, P., Neisa, A., Walker, M., Bottomley, J., & Roffey, T. (2010). A method for managing reidentification risk from small geographic areas in Canada. BMC Medical Informatics & Decision Making, 10, 18.

El Emam, K., Kamal Dankar, F., Issa, R., Jonker, E., Amyot, D., Cogo, E., & Bottomley, J. (2009). A globally optimal k-anonymity method for the de-identification of health data. Journal of the American Medical Informatics Association, 16, 670-682.

Elliot, M. J. (2000). DIS: A new approach to the measurement of statistical disclosure risk. International Journal of Risk Management, 2, 39-48.

Fayyoumi, E., & Oommen, B. J. (2010). A surveyon statistical disclosure control and micro-aggregation techniques for secure statistical databases. Software: Practice & Experience, 40, 1161-1188.

Fienberg, S., & McIntyre, J. (2005). Data swapping: Variations on a theme by Dalenius and Reiss. Journal of Official Statistics, 21, 309-323.

Fuller, W. A. (1993). Masking procedures for microdata disclosure limitation. Journal of Official Statistics, 9, 383-406.

Fung, B. C. M., Wang, K., Chen, R., & Yu, P. S. (2010). Privacypreserving data publishing: A survey of recent developments. ACM Computing Surveys, 42, 14:1-14:53.

Gouweleeuw, J. M., Kooiman, P., Willenborg, L. C. R.J., & De Wolf, P.-P. (1998). Post randomisation for statistical disclosure control: Theory and implementation. Journal of Official Statistics, 14, 463-478.

Hundepool, A., Wetering, A., Ramaswamy, R., Franconi, L., Polettini, S., Capobianchi, A., & Giessing, S. (2008). Mu-Argus, Version 4.2 User’s Manual. The Hague, Netherlands: Statistics. Retrieved from http://neon.vb.cbs.nl/casc/Software/MuManual4.2.pdf

Kennickell, A., & Lane, J. (2007). Measuring the impact of data protection techniques on data utility: Evidence from the survey of consumer finances (SCF Working Papers). Retrieved from http://www.federalreserve.gov/pubs/oss/oss2/papers/Disclosure3.pdf

Kinney, S. K., Karr, A. F., & Gonzalez, J. F. (2009). Data confidentiality: the next five years summary and guide to papers.Journal of Privacy and Confidentiality, 1, 125-134.

Lane, J. (2007). Optimizing the use of microdata: an overview of the issues. Journal of Official Statistics, 23, 299-317.

Lane, J., Heus, P., & Mulcahy, T. (2008). Data access in a cyber world: Making use of cyberinfrastructure. Transactions on Data Privacy, 1, 2-16.

Lane, J., & Schur, C. (2010). Balancing access to health data and privacy: A review of the issues and approaches for the future. Health Services Research, 45, 1456-1467.

Little, R. J. A., & Liu, F. (2003). Comparison of SMIKe with dataswapping and PRAM for statistical disclosure control of simulated microdata. In Proceedings of the Section on Survey Research Methods, CD-ROM. American Statistical Association. Retrieved from http://www.amstat.org/sections/srms/Proceedings/

Loukides, G., Denny, J., & Malin, B. (2010). The disclosure of diagnosis codes can breach research participants’ privacy. Journal of the American Medical Association, 17, 322-327.

Malin, B., Sweeney, L., & Newton, E. (2003). Trail re-identification: learning who you are from where you have been. Workshop on Privacy in Data, Carnegie Mellon University, Pittsburgh, PA.

McCallum, A., & Wellner, B. (2003). Object consolidation by graph partitioning with a conditionally-trained distance metric. In Proceedings of the ACM Workshop on Data Cleaning, Record Linkage and Object Identification, Washington, DC.

Nadeau, C., Gagnon, E., & Latouche, M. (1999). Disclosure control strategy for the release of microdata in the Canadian Survey of Labour and Income Dynamics. Paper presented at the 1999 Joint Statistical Meetings, Baltimore, MD.

Narayanan, A., & Shmatikov, V. (2008). Robust de-anonymization of large sparse datasets. In Proceedings of the 2008 IEEE Symposium on Security and Privacy. Retrieved from http://www.cs.utexas.edu/~shmat/

Narayanan, A., & Shmatikov, V. (2010). Myths and fallacies of “personally identifiable information.” Communications of the ACM, 53, 24-26.

Ochoa, S., Rasmussen, J., Robson, C., & Salib, M. (2008). Reidentification of individuals in Chicago’s homicide database—A technical and legal study. Retrieved from http://web.mit.edu/sem083/www/assignments/reidentification.html

Raghunathan, T. E., Reiter, J. P., & Rubin, D. B. (2003). Multiple imputation for statistical disclosure limitation. Journal of Official Statistics, 19, 461-468.

Rastogi, V., Suciu, D., & Hong, S. (2007, September 23-27). The boundary between privacy and utility in data publishing. In Proceedings of the 33rd International Conference on Very Large Data Bases. Vienna, Austria.

Reiter, J. (2003). Inference for partially synthetic, public use microdata sets. Survey Methodology, 29, 181-188.

Reiter, J. (2009). Multiple imputation for disclosure limitation: Future research challenges. Journal of Privacy and Confidentiality, 1, 223-233.

Rosenbaum, S. (2010). Data governance and stewardship: designing data stewardship entities and advancing data access. Health Services Research, 45, 1442-1455.

Rothstein, M. (2010). Is deidentification sufficient to protect health privacy in research? American Journal of Bioethics, 10, 3-11.

Rubin, D. B. (1993). Statistical disclosure limitation. Journal of Official Statistics, 9, 461-468.

Scheuren, F., & Winkler, W. (1997). Regression analysis of data files that are computer matched—Part II. Survey Methodology, 23, 157-165.

Singh, A. (2009). Maintaining analytic utility while protecting confidentiality of survey and nonsurvey data. Journal of Privacy and Confidentiality, 1, 155-182.

Singh, A., Yu, F., & Dunteman, G. (2003, April). MASSC: A new data mask for limiting statistical information loss and disclosure (Working Paper No. 23). Paper presented at the Joint ECE/Eurostat work session on statistical confidentiality, Luxemburg. Retrieved from http://www.unece.org/fileadmin/DAM/stats/documents/2003/04/confidentiality/wp.23.s.e.pdf

Skinner, C. J. (2007). The probability of identification: Applying ideas from forensic statistics to disclosure risk assessment. Journal of the Royal Statistical Society. Series A: Statistics in Society, 170, 195-212.

Skinner, C. J. (2009). Statistical disclosure control for survey data. In D. Pfeffermann & C. R. Rao (Eds.), Handbook of statistics (Vol. 29a, pp. 381-396). Amsterdam, Netherlands:Elsevier. Retrieved from http://www.elsevier.com/wps/find/ bookdescription.cws_home/719334/description#description

Skinner, C. J., & Shlomo, N. (2008). Assessing identification risk in survey microdata using log-linear models. Journal of the American Statistical Association, 103, 989-1001.

Sweeney, L. (1997). Weaving technology and policy together to maintain confidentiality. Journal of Law, Medicine & Ethics, 25, 98-110.

Sweeney, L. (2000). Uniqueness of simple demographics in the U.S. population (LIDAP-WP4). Laboratory for International Data Privacy, Carnegie Mellon University, Pittsburgh, PA.

Sweeney, L. (2002). k-Anonymity: A model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledgebased Systems, 10, 557-570.

Sweeney, L. (2010a, March 8-9). Data sharing under HIPAA: 12 years later. Paper Presented at HHS Workshop on the HIPAA Privacy Rule’s De-identification Standar, Washington, DC. Retrieved from http://hhshipaaprivacy.com/assets/5/resources/Panel2_Sweeney.pdf

Sweeney, L. (2010b). Designing a Trustworthy Nationwide Health Information Network (NHIN) Promises Americans Privacy and Utility, Rather Than Falsely Choosing Between Privacy or Utility (Testimony before the 21st Century Healthcare Caucus Round Table, U.S. Congress April 22, 2010). Retrieved from http://patientprivacyrights.org/wp-content/uploads/2010/04/ Sweeney-CongressTestimony-4-22-10.pdf

Truta, T. M., Fotouhi, F., & Barth-Jones, D. (2004). Assessing global disclosure risk in masked Microdata. In Proceedings of the 2004 Workshop on Privacy in Electronic Society (pp. 85-93). Washington, DC.

United Nations. (2007). Principles and guidelines for managing statistical confidentiality and microdata access. Retrieved from http://unstats.un.org/unsd/statcom/doc07/BG-Microdata-E.pdf

Weinberg, D. H., Abowd, J. M., Steel, P. M., Zayatz, L., & Rowland, S. K. (2007). Access methods for United States microdata (U.S. Census Bureau Center for Economic Studies Paper No. CES-WP-07-25). Retrieved from http://ssrn.com/ abstract=1015374

Willenborg, L., & de Waal, T. (1996). Statistical disclosure control in practice, lecture notes in statistics. New York, NY: Springer-Verlag.

Winkler, W. E. (1997). Views on the production and use of confidential microdata (Statistical Research Division report RR 97/01). Retrieved from http://www.census.gov/srd/www/ byyear.html

Winkler, W. E. (2004a). Masking and re-identification methods for public-use microdata: Overview and research problems. In J. Domingo-Ferrer & V. Torra (Eds.), Privacy in statistical database (pp. 231-247). New York, NY: Springer.

Winkler, W. E. (2004b). Re-identification methods for masked microdata. In J. Domingo-Ferrer & V. Torra (Eds.), Privacy in statistical databases (pp. 216-230). New York, NY: Springer.

Winkler, W. E. (2007). Examples of easy-to-implement, widely used methods of masking for which analytic properties are not justified (Research Report Series #2007-21). Statistical Research Division, U.S. Census Bureau. Retrieved from http://www.census.gov/srd/papers/pdf/rrs2007-21.pdf