Limits...
Pseudonymization of patient identifiers for translational research.

Aamot H, Kohl CD, Richter D, Knaup-Gregori P - BMC Med Inform Decis Mak (2013)

Bottom Line: If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual.The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead.Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

View Article: PubMed Central - HTML - PubMed

Affiliation: NCT Trial Center, German Cancer Research Center, Heidelberg, Germany. harald.aamot@nct-heidelberg.de

ABSTRACT

Background: The usage of patient data for research poses risks concerning the patients' privacy and informational self-determination. Next-generation-sequencing technologies and various other methods gain data from biospecimen, both for translational research and personalized medicine. If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual. This raises an ethical concern and challenges the legitimacy of anonymized patient samples. In this paper we present a new approach which supports both data privacy and the possibility to give feedback to patients about their individual research results.

Methods: We examined previously published privacy concepts regarding a streamlined de-pseudonymization process and a patient-based pseudonym as applicable to research with genomic data and warehousing approaches. All concepts identified in the literature review were compared to each other and analyzed for their applicability to translational research projects. We evaluated how these concepts cope with challenges implicated by personalized medicine. Therefore, both person-centricity issues and a separation of pseudonymization and de-pseudonymization stood out as a central theme in our examination. This motivated us to enhance an existing pseudonymization method regarding a separation of duties.

Results: The existing concepts rely on external trusted third parties, making de-pseudonymization a multistage process involving additional interpersonal communication, which might cause critical delays in patient care. Therefore we propose an enhanced method with an asymmetric encryption scheme separating the duties of pseudonymization and de-pseudonymization. The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead. To solve person-centricity issues, a collision-resistant function is incorporated into the method. These two facts combined enable us to address essential challenges in translational research. A productive software prototype was implemented to prove the functionality of the suggested translational, data privacy-preserving method. Eventually, we performed a threat analysis to evaluate potential hazards connected with this pseudonymization method.

Conclusions: The proposed method offers sustainable organizational simplification regarding an ethically indicated, but secure and controlled process of de-pseudonymizing patients. A pseudonym is patient-centered to allow correlating separate datasets from one patient. Therefore, this method bridges the gap between bench and bedside in translational research while preserving patient privacy. Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

Show MeSH

Related in: MedlinePlus

The translational pseudonymization algorithm. The algorithm has two scenarios. Either a new pseudonym is created or the patient has been pseudonymized before and his pseudonym is retrieved from the database.
© Copyright Policy - open-access
Related In: Results  -  Collection

License
getmorefigures.php?uid=PMC3733629&req=5

Figure 3: The translational pseudonymization algorithm. The algorithm has two scenarios. Either a new pseudonym is created or the patient has been pseudonymized before and his pseudonym is retrieved from the database.

Mentions: We start with the pseudonymization procedure. The operations carried out by the TTP for a pseudonymization are shown in FigureĀ 3. When the pseudonymization service receives a PID, it first computes deterministic one-way mapping information (DOWMAP) for a PID.


Pseudonymization of patient identifiers for translational research.

Aamot H, Kohl CD, Richter D, Knaup-Gregori P - BMC Med Inform Decis Mak (2013)

The translational pseudonymization algorithm. The algorithm has two scenarios. Either a new pseudonym is created or the patient has been pseudonymized before and his pseudonym is retrieved from the database.
© Copyright Policy - open-access
Related In: Results  -  Collection

License
Show All Figures
getmorefigures.php?uid=PMC3733629&req=5

Figure 3: The translational pseudonymization algorithm. The algorithm has two scenarios. Either a new pseudonym is created or the patient has been pseudonymized before and his pseudonym is retrieved from the database.
Mentions: We start with the pseudonymization procedure. The operations carried out by the TTP for a pseudonymization are shown in FigureĀ 3. When the pseudonymization service receives a PID, it first computes deterministic one-way mapping information (DOWMAP) for a PID.

Bottom Line: If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual.The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead.Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

View Article: PubMed Central - HTML - PubMed

Affiliation: NCT Trial Center, German Cancer Research Center, Heidelberg, Germany. harald.aamot@nct-heidelberg.de

ABSTRACT

Background: The usage of patient data for research poses risks concerning the patients' privacy and informational self-determination. Next-generation-sequencing technologies and various other methods gain data from biospecimen, both for translational research and personalized medicine. If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual. This raises an ethical concern and challenges the legitimacy of anonymized patient samples. In this paper we present a new approach which supports both data privacy and the possibility to give feedback to patients about their individual research results.

Methods: We examined previously published privacy concepts regarding a streamlined de-pseudonymization process and a patient-based pseudonym as applicable to research with genomic data and warehousing approaches. All concepts identified in the literature review were compared to each other and analyzed for their applicability to translational research projects. We evaluated how these concepts cope with challenges implicated by personalized medicine. Therefore, both person-centricity issues and a separation of pseudonymization and de-pseudonymization stood out as a central theme in our examination. This motivated us to enhance an existing pseudonymization method regarding a separation of duties.

Results: The existing concepts rely on external trusted third parties, making de-pseudonymization a multistage process involving additional interpersonal communication, which might cause critical delays in patient care. Therefore we propose an enhanced method with an asymmetric encryption scheme separating the duties of pseudonymization and de-pseudonymization. The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead. To solve person-centricity issues, a collision-resistant function is incorporated into the method. These two facts combined enable us to address essential challenges in translational research. A productive software prototype was implemented to prove the functionality of the suggested translational, data privacy-preserving method. Eventually, we performed a threat analysis to evaluate potential hazards connected with this pseudonymization method.

Conclusions: The proposed method offers sustainable organizational simplification regarding an ethically indicated, but secure and controlled process of de-pseudonymizing patients. A pseudonym is patient-centered to allow correlating separate datasets from one patient. Therefore, this method bridges the gap between bench and bedside in translational research while preserving patient privacy. Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

Show MeSH
Related in: MedlinePlus