This paper from Privacy Analytics addresses the common scenario in which health data is anonymized and used for research purposes within a data controller that retains the original data set. In such cases, robust anonymization combined with strong safeguards to protect the anonymized data from being re-associated with the original data or otherwise re-identified, creates a strong case under the GDPR that the data should still be considered fully anonymous and therefore outside the scope data protection law. But even where that is not the case, the same strong anonymization methodology and safeguards will enable the data controller to meet key GDPR obligations. In either case, strong de-identification is an essential tool for enabling the use of sensitive health data for research purposes. (August 2017)
European Legal Requirements for Use of Anonymized Health Data for Research Purposes by a Data Controller with Access to the Original (Identified) Data Sets
Related Stories
Web Conference: Paging All Healthcare Privacy Pros
Original broadcast date: November 9, 2018
Join us as three seasoned privacy professionals discuss the requirements of the CCPA applicable to healthcare organizations and how to operationalize compliance....
Use of Electronic Health Record Data in Clinical Investigations
This guidance document, published by the U.S. Department of Health and Human Services, is intended to assist sponsors, clinical investigators, contract research organizations, institutional review boards, and other interested parties on the use of electronic health record data in FDA-regulated clini...
HIPAA-Compliant Privacy Policy Language for e-Health Applications
The following is a privacy policy language profile proposal for HIPAA-Compliant e-Health Applications, published by Elsevier B.V. Included in the proposition is the aim of usage allowing the e-health providers to specify HIPAA-compliant privacy policies and the ability for patents to be able to expr...