Protecting Privacy when Posting to Rare Disease Forums
September 1, 2020
People with rare diseases are often willing to share their stories and details about their conditions. They recognize doing so may not only have therapeutic benefits for themselves, but also help others, and could add to a pool of data needed to accelerate diagnoses and the development of treatments.
But when they do so anonymously in online forums, hospital websites, and social media with an expectation of privacy, there can be risks that someone who wants to make an effort to figure out who they are, can do so.
A new study in the Orphanet Journal of Rare Diseases finds that rare disease patients who share their health information on websites put their healthcare data privacy at risk even though they may take steps to de-identify the information. The authors, who are all affiliated with the healthcare privacy consultancy Mirador Analytics, said there are simple steps that organizations can take to take to mitigate the risk of patients being re-identified.
“Patients post an increasing number of diagnosis/treatment stories in these open access forums to discuss treatment options and to provide hope and emotional support for other patients, all with the expectation that these institutions will and should recognize their right for their privacy,” they write. “However, this expectation of privacy may be without foundation, as these patients’ data (both indirect and direct identifiers) may be extremely discoverable and, via their diagnosis/treatment stories, linked to their disease condition.”
To determine the risk of re-identification, the authors mined direct and indirect identifiers of patients from support forums from 80 patients with eight different rare conditions. To mine the data, the researchers scanned patient testimonials, social media sites, and public records for the collection of identifiers linked to a rare disease patient.
The study found that nearly 75 percent of the patients could be at high risk for re-identification in healthcare datasets in which they appear because of their unique combination of identifiers such as marital status, zip code, age, and sex, as well as rare disease. Those data points are typically included in de-identified data.
The researchers said the risk of re-identification can be reduced by a few simple changes to diagnosis stories/support-group posts at the patient level. Dates of service should be avoided beyond year. The place of service and physician should not be posted in publicly accessible forums. People should also refrain from giving any place of residence beyond state, and only identify themselves by first name wherever possible.
They argue that risks can be mitigated by increasing guidelines around postings as well as having hospitals, social media sites, and other organizations that run such forums implement guidelines for posting and informing patients who participate in their forums about the risks of disclosing indirect identifiers along with their particular conditions.
In the rare disease world, there is sometimes a sense that privacy laws are impediments to progress. Many advocates are outspoken about their conditions and would happily share the details of their personal story if they believed it could do some good. But where there is an expectation of privacy, those charged as gatekeepers need to take steps to protect people who want that protection. And people, who are concerned about their own privacy and who participate in such forums, should consider leaving out identifiers if they want to protect their own privacy. Failure to address such weaknesses will only serve as a further barrier to this type of data sharing when people who wish to remain anonymous find their anonymity is compromised.
Sign up for updates straight to your inbox.