assessing health and treatment outcomes
assessing health and treatment outcomes
July 2012
1.0 Introduction
Outcome Referrals, Inc. ("Outcome Referrals") helps patients and caregivers track and improve quality of life, while respecting individual privacy, safeguarding confidential information and ensuring the security of both personal health information ("PHI") and personal information ("PI") in its custody or under its control as those terms and responsibilities are defined in the United States, Canada, and the European Union.
The Outcome Referrals system can be accessed and used by healthcare providers and healthcare recipients without disclosing any identifying information such as names, addresses, or policy numbers. In all cases, Outcome Referrals protects information collected through WellnessCheck® or any other mechanism with the following policy and procedures.
Outcome Referrals's General Privacy and Confidentiality Policy is publicly available on the Outcome Referrals website at https://www.wellnesscheck.net/oms/privacy.jsf.
2.0 Scope
This policy covers the collection, use, disclosure, management, protection, retention and destruction of PHI and PI. This policy applies to all Outcome Referrals operations and employees. Although the majority of Outcome Referrals operations and employees do not collect or access PHI, all employees are trained in the General Outcome Referrals Privacy and Confidentiality Policies and Procedures.
3.0 Definitions
Agent or Business Associate: Outcome Referrals is an authorized agent for contracting healthcare providers and health plans using WellnessCheck® to collect, store and analyze healthcare data. In this capacity Outcome Referrals serves as a Business Associate (as defined by HIPAA 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)), or Agent as defined in PHIPA.
Collect: To gather, receive or record information from any source and by any method.
Confidentiality: The organization's obligation to protect from disclosure the PHI and PI with which it has been entrusted.
Cookies: Cookies are used for record keeping and to track movements when visiting a website. The use of cookies is an industry standard, used in most websites, including health-related ones. There are two types of cookies: persistent and session. Persistent cookies are pieces of information that a website transfers to an individual's hard drive for record-keeping purposes. Session cookies are not permanently stored on hard drives and are used to provide easier navigation of websites and cannot be used to collect any personal information.
Custodian or Covered Entity: PHI regulations in Canada, Europe and the US apply to routine healthcare information collected by: (i) health care providers; (ii) health care clearinghouses; (iii) health plans.
Data linkage: The process by which information from one data holding is combined with that of another data holding to create new or more complete information. Temporary linkages are created for the purpose of specific research projects. Permanent linkages effectively create new data holdings.
Data holdings: Data holdings: A list of all datasets that are maintained on Outcome Referrals servers and are in the custodianship of Outcome Referrals.
Disclose: To make personal information available or known to individuals outside Outcome Referrals.
EU Privacy Directive: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Express consent: Any specifically given (whether in writing, in person, electronically, by telephone, by using a check-off box or otherwise) voluntary, knowledgeable indication of an individual's wishes.
HIPAA: The Health Insurance Portability and Accountability Act of 1996 and regulations, as amended from time to time.
Identifiers: Identifiers directly and easily identify an individual. An identifying variable would be, for example, a name, full address, telephone number, email address, health insurance number, and social insurance number. These identifiers are differentiated from Quasi-Identifiers.
Individual: The person, whether living or deceased, whose information is collected, used or disclosed.
Institutional Review Boards (IRB): See Research Ethics Board (REB) below.
IP addresses: An IP address is a number that is automatically assigned to a computer whenever surfing the Web. Many Web servers automatically identify computers or networks protected by firewalls by their IP addresses.
Organization: A legal person (e.g., a corporation), an association, a partnership, Covered Entity, a Health Information Custodian or a trade union.
Personal Information (PI): Information about an identifiable individual, including personal health information, that does not include the name, title, business address or telephone number of an employee of an organization.
Personal Health Information (PHI):
UNITED STATES: Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered into the medical record or will be used for healthcare services, such as treatment, payment or operations.
CANADA: As defined by PHIPA 2004 section 4.1, “personal health information“, means identifying information about an individual in oral or recorded form, if the information: (a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual's family; (b) relates to the provision of health care to the individual, including the identification of a person as a provider of health care to the individual; (c) is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual; (d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual; (e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance; (f) is the individual's health number; or (g) identifies an individual's substitute decision-maker.
EUROPEAN UNION: As defined in Directive 95/46/EC of the European Parliament “'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
PHIPA: The Personal Health Information Protection Act, 2004 and regulations, as amended from time to time.
Policy Officer (PO): The designated representative of the company entrusted with ensuring that the articles of this Policy are adhered to as described.
Quasi-identifiers: A quasi-identifier means a variable that may indirectly identify an individual, such as a date (birth, death, admission, discharge, autopsy, specimen collection, or visit), postal code or other location information. The presence of quasi-identifiers in a dataset does not automatically signify that it contains PHI, but does require that the proper provincial threshold is examined when determining a dataset is de-identified.
Research: A systematic investigation designed to develop or establish principles, facts or knowledge that can be generalized, or any combination of the above, and includes the development, testing and evaluation of research.
Research Ethics Board (REB) or Institutional Review Boards (IRB): A board composed of qualified persons which can be formally designated by an organization, while maintaining its independent functioning from the organization, which meets for the purpose of conducting ethical reviews of research applications and meets the requirements of applicable provincial and federal legislation and regulations (e.g., PHIPA and the federal Food and Drug Act) and applicable guidelines and policies. The REB may approve, reject, propose modifications to, put on hold or terminate research at its sole discretion as well as recommend the suspension of ongoing research.
Risk Thresholds: Various governments require overlapping but different standards for determining whether data is de-identified. Some of these thresholds include:
Serious Possibility Test: Federal government departments in Canada must follow the “serious possibility test” to determine if data is de-identified. Within this criteria one must determine where there is a serious possibility that the data holding facility could identify an individual through the use of that information, alone or in combination with other available information.
Reasonable Possibility Test: The EU Data Protection Directive states that an “individual shall not be regarded as identifiable if the identification requires an unreasonable amount of time and manpower”. In the United States, HIPAA considers data de-identified if there is not a reasonable possibility that an individual can be identified, and Supreme Courts have interpreted this to mean that it must be demonstrated that non-experts and multiple experts can re-identify a data set before it can be considered personal information.
K-anonymity de-identification criterion: This criterion ensures that there are at least k records in the dataset that have the same values on the quasi-identifiers for every combination of values. For example, if the quasi-identifiers are age and gender, then it would ensure that, say, there are at least k records with “50, male” values.
Rareness criterion: Quasi-identifiers that refer to a regional population subgroup (e.g. a postal or zip code) for fewer than 20,000 individuals, or that refers to less than 0.5% of the population (e.g. individuals over 89 years old) require special consideration when assessing risk thresholds.
Minimum cell size: Because there is quite a bit of subjectivity in most definitions, one can interpret them using a strong precedent. Many custodians, within and outside healthcare for more than 20 years, have been using two thresholds to decide if a dataset is de-identified. These thresholds refer to minimal cell sizes, which mean the number of records that have the same values on the quasi-identifiers. One threshold that has been suggested and used is a minimal cell size of three in data sets that are disclosed [35-38]. Another more common value is a minimal cell size of five [39-48]. Because of the extensive use of these two thresholds over such an extended period of time, one can argue that these represent the risks that society has decided to accept when releasing sensitive personal information.
Safe harbor provision: The Safe Harbor provision of the US HIPAA Privacy Rule specifies 18 data elements whose absence deems a dataset de-identified. HIPAA also provides the certification of datasets as de-identified through statistical techniques even when some of the data elements (quasi-identifiers) are present.
Use: To handle or deal with information, including transferring the information.
4.0 Policy and Procedure
The following details the manner in which Outcome Referrals adheres to its main principles.
4.1 Principle 1 - Accountability
4.1.1 The President of Outcome Referrals is accountable for compliance with the applicable privacy legislation and regulations. The President is responsible for ensuring that Outcome Referrals meets current legal requirements and adheres to the principles of privacy, confidentiality and security.
4.1.2 Outcome Referrals employees must comply with this policy for the collection, use, disclosure, management, protection, retention and destruction of PHI and PI. All employees must sign the Confidentiality Agreement as a condition of employment/engagement. Employees must also attend and participate in Outcome Referrals's privacy and confidentiality training and are required to sign the Privacy Training Acknowledgement Form.
4.1.3 Outcome Referrals is responsible for protecting the confidentiality of all PHI and/or PI that is transferred to and from Covered Entities or Custodian. Outcome Referrals ensures that adequate processes are in place to de-identify any PI/PHI that is transferred to any third party before the information is transferred for research purposes.
4.1.4 This policy is evaluated on an ongoing basis to ensure that it reflects current legislation, guidelines, and practices at Outcome Referrals.
4.1.5 Breaches of the provisions of this policy may result in disciplinary action up to and including termination of the employee.
4.1.6 Outcome Referrals has procedures in place to receive and to respond to inquiries and complaints.
4.2 Principle 2 - Identifying Purposes
4.2.1 Prior to the collection or receipt of any PI/PHI, Outcome Referrals must identify the purpose for its collection, use or disclosure. Collection of PI/PHI is limited to the information necessary to meet the identified and, if required, ethically approved clinical or research purposes.
4.2.2 Outcome Referrals employees must be aware of the purpose for which PI/PHI may be collected for the data holding(s) in their area.
4.2.3 When PI/PHI that was previously collected is to be used or disclosed for a purpose not previously identified, the PI/PHI may only be used or disclosed after the new purpose has been identified, and if required, (for research data) REB approval has been granted.
4.3 Principle 3 - Knowledge and Consent
4.3.1 The collection, use and disclosure of PI/PHI are based on knowledgeable consent with respect to research data and knowledgeable consent for other personally identifiable information or without consent in areas where permitted or required by law.
4.3.2 The Covered Entities or Custodians of the data for which Outcome Referrals is acting as an Agent or Business Associate are responsible for gathering necessary Express Consent and IRB/REB approvals required within their legal jurisdiction.
4.3.3 Where express consent is required for the collection, use, and disclosure of PI/PHI, Outcome Referrals will ensure that its customers are aware of this requirement.
4.4 Principle 4 - Limiting Collection of Data
4.4.1 Outcome Referrals will only collect data for clinical, research or other purposes within its mandate and for its customers.
4.4.2 Outcome Referrals will not collect PI/PHI indiscriminately. Both the amount and the type of information collected will be limited to what is necessary to fulfill the purposes identified.
4.4.3 PI/PHI will be collected directly from the individual or clinician unless otherwise permitted or required by law.
4.4.4 Any PI/PHI collected that does not fall within the scope identified must be returned and/or destroyed.
4.4.5 Outcome Referrals does not use persistent cookies to collect or store identifying information about users of its websites. Collection and storage of IP addresses are used for system administration and auditing the use of Outcome Referrals' websites. Only in the event of a violation of Outcome Referrals's Terms of Use or Licensing Agreements will Outcome Referrals use such devices to enforce compliance to protect the integrity of data and intellectual property rights.
4.5 Principle 5 - Limiting Use, Disclosure and Retention
4.5.1 Outcome Referrals will never disclose PHI for any purpose other than as directed by court order.
4.5.2 All PHI identifiers and quasi-identifiers will be stored in an encrypted format.
4.5.3 If an identifier (e.g. health plan policy numbers) is required by contract with a covered entity or custodian, and the identifier is not required for a legitimate Outcome Referrals business purpose, one-way encryption techniques will be employed, rendering the data de-identified to Outcome Referrals employees.
4.5.4 If an individual has authorized Outcome Referrals to store PHI containing an identifier (e.g. email address) which Outcome Referrals will use for a legitimate business purpose (e.g. emailing questionnaire reminders at the patient's request), Outcome Referrals will store such identifiers in a separate database with double coding and one-way encryption techniques to prevent Outcome Referrals employees from linking an identifier to clinical data.
4.5.5 If Outcome Referrals uses collected data for research purposes, it will first be de-identified according to the highest standards currently available in Canada, the European Union, or the United States, whichever (either in isolation or combination) provides greater privacy assurances.
4.5.6 Outcome Referrals will only collaborate in research that contributes an improved understanding of behavioral health and to improved treatment of an individual's quality of life. Restrictions on the use and disclosure of data will be reinforced by Outcome Referrals's information technology architecture. All other data will be used, disclosed and retained for identified purposes.
4.5.7 Only authorized and designated Outcome Referrals personnel, who have signed Outcome Referrals's Confidentiality Agreement and received appropriate Privacy and Confidentiality Training, will be allowed access to PHI/PI. Access will be authorized on a need-to-know basis for performing Outcome Referrals duties. No Outcome Referrals employee may access PI/PHI unless required to do so for the purposes of his/her employment.
4.5.8 Outcome Referrals will take appropriate steps to protect against any risk of unauthorized disclosure of PI/PHI. Outcome Referrals employees engaged in research must work with researchers and/or external parties to develop strategies for preparing data sets so that there is no potential risk of residual disclosure while meeting the analysis requirements for the approved research protocol. Outcome Referrals will develop and maintain standards and guidelines for unauthorized disclosure avoidance and will make researchers and external parties aware of these standards and guidelines. If unauthorized disclosure issues cannot be resolved to Outcome Referrals's satisfaction, Outcome Referrals will not disclose related data.
4.5.9 Outcome Referrals may participate in data linkage with covered entities and custodians for specific analyses or for other clinical purposes, in accordance with applicable laws and/or regulations. All linked data sets will be subject to Outcome Referrals's policy and procedures which govern the collection, use and disclosure of PI/PHI.
4.5.10 Outcome Referrals has procedures and guidelines for the secure retention of PI/PHI and will not keep the data beyond the designated retention period as set out in its data retention policy (which is in compliance with applicable legislation).
4.5.11 PI/PHI that is no longer required to fulfill its identified purposes will be securely destroyed after the applicable retention period has expired.
4.5.12 Outcome Referrals ensures that datasets have surpassed provincial threshold tests as defined above and meet the minimum cell size requirements to ensure de-identification standards have been met.
4.6 Principle 6 - Accuracy of PI/PHI
4.6.1 Outcome Referrals will require that the PI/PHI it receives is accurate, complete and up-to-date at the time of collection, as verified by the individual or organization collecting the data.
4.6.2 Outcome Referrals will not update the PI/PHI it collects unless it is necessary to fulfill the purposes for which the PI/PHI was collected. Data which has been made anonymous will not be updated by Outcome Referrals.
4.7 Principle 7 - Safeguards (anonymization of data and process for the disposal or destruction of PI/PHI)
4.7.1 Outcome Referrals has security safeguards to protect against the loss, theft, unauthorized access, disclosure, copy, use, modification or disposal of PI/PHI.
4.7.2 Outcome Referrals provides a secure physical environment for the equipment and facilities where PI/PHI is stored and for the employees who use this information.
4.7.3 All Outcome Referrals employees must sign a Confidentiality Agreement. PI/PHI may only be accessed by designated employees on a need-to-know basis and is protected by data-sharing agreements as required. Outcome Referrals trains all employees to be aware of the importance of maintaining the privacy and confidentiality of all PI/PHI.
4.7.4 Outcome Referrals has policies and procedures in place pertaining to the disposal or destruction of PI/PHI to prevent unauthorized parties from gaining access to the information.
4.7.5 Privacy impact assessments including, as appropriate, security analyses and threat risk assessments, are completed on data holdings and organizational practices to ensure that privacy issues are identified and resolved or mitigating strategies, with follow-up plans, are in place.
4.7.6 Outcome Referrals adopts industry standards and regularly tests its systems to ensure security of its data storage equipment and communication systems.
4.8 Principle 8 - Openness
4.8.1 Outcome Referrals makes information available about its policies and practices relating to the management of PI including PHI.
4.9 Principle 9 - Individual Access to PI/PHI
4.9.1 Outcome Referrals is not a Covered Entity or Health Information Custodian and does not hold health records for individuals for the purpose of providing health care. Outcome Referrals does not update individual records to ensure that data are current or accurate with respect to the individual. Individuals requesting access to records about themselves that they believe to be held by Outcome Referrals will be directed to contact the Health Information Custodians that collected or created the information about them. This includes court requests for data collected or stored at Outcome Referrals.
4.10 Principle 10 - Challenging Compliance
4.10.1 Questions, concerns and complaints about Outcome Referrals's Privacy and Confidentiality Policy are to be addressed to Outcome Referrals's Privacy Officer. All concerns and questions will be dealt with in a timely fashion and if a complaint is found to be justified, Outcome Referrals will take appropriate measures including, as necessary, changes to its policies and procedures.
References
1. Safran C, Bloomrosen M, Hammond E, Labkoff S, S K-F, Tang P, Detmer D. Toward a national framework for the secondary use of health data: An American Medical Informatics Association white paper. Journal of the American Medical Informatics Association, 2007; 14:1-9.
2. Perun H, Orr M, Dimitriadis F. Guide to the Ontario Personal Health Information Protection Act. 2005: Irwin Law.
3. El Emam K, King M. The data breach analyzer. 2009; Available from: [http://www.ehealthinformation.ca/dataloss].
4. Willison D, Emerson C, Szala-Meneok K, Gibson E, Schwartz L, Weisbaum K. Access to medical records for research purposes: Varying perceptions across Research Ethics Boards. Journal of Medical Ethics, 2008; 34:308-314.
5. El Emam K, Dankar F, Issa R, Jonker E, Amyot D, Cogo E, Corriveau J-P, Walker M, Chowdhury S, Vaillancourt R, Roffey T, Bottomley J. A Globally Optimal k-Anonymity Method for the De-identification of Health Data Journal of the American Medical Informatics Association, 2009.
6. El Emam K, Jonker E, Sams S, Neri E, Neisa A, Gao T, Chowdhury S. Pan-Canadian De-Identification Guidelines for Personal Health Information (report prepared for the Office of the Privacy Commissioner of Canada). 2007; Available from: [http://www.ehealthinformation.ca/documents/OPCReportv11.pdf]. Archived at: [http://www.webcitation.org/5Ow1Nko5C].
7. El Emam K, Brown A, Abdelmalik P. Evaluating Predictors of Geographic Area Population Size Cutoffs to Manage Re-identification Risk. Journal of the American Medical Informatics Association, 2009; 16(2):256-266.
8. ISO/TS 25237. Health Informatics: Pseudonymization. 2008.
9. Hansell S. AOL Removes Search Data on Group of Web Users in New York Times. 2006: 8 August.
10. Barbaro M, Zeller Jr. T. A Face Is Exposed for AOL Searcher No. 4417749 in New York Times. 2006: 9 August.
11. Zeller Jr. T. AOL Moves to Increase Privacy on Search Queries, in New York Times. 2006: August 22.
12. Ochoa S, Rasmussen J, Robson C, Salib M. Reidentification of individuals in Chicago's homicide database: A technical and legal study. 2001; Massachusetts Institute of Technology.
13. Narayanan A, Shmatikov V. Robust de-anonymization of large datasets (how to break anonymity of the Netflix prize dataset). 2008; University of Texas at Austin.
14. Sweeney L. Computational disclosure control: A primer on data privacy protection. 2001, Massachusetts Institute of Technology.
15. Appelate Court of Illinois - Fifth District. The Southern Illinoisan v. Department of Public Health. 2004.
16. The Supreme Court of the State of Illinois. Southern Illinoisan vs. The Illinois Department of Public Health. 2006.
17. Federal Court (Canada). Mike Gordon vs. The Minister of Health: Affidavit of Bill Wilson. 2006.
18. El Emam K, Dankar F. Protecting privacy using k-anonymity. Journal of the American Medical Informatics Association, 2008; 15:627-637.
19. El Emam K. Heuristics for de-identifying health data. IEEE Security and Privacy, 2008:72-75.
20. Federal Data Protection Act (Germany). 2006.
21. Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data: Adopted on 20th June. 2007; Available from: [http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf]. Archived at: [http://www.webcitation.org/5Q2YBu0CR].
22. El Emam K, Kosseim P. Privacy Interests in Prescription Records, Part 2: Patient Privacy. IEEE Security and Privacy, 2009; 7(2):75-78.
23. Canadian Institutes of Health Research. Recommendations for the Interpretation and Application of the Personal Information Protection and Electronic Documents Act (S.C.2000, c.5) in the Health Research Context Canadian Institutes of Health Research. 2001; Available from: [http://www.cihr-irsc.gc.ca/e/documents/recommendations_e.pdf].
24. Canadian Institutes of Health Research. Background Legal Research and Analysis in Support of CIHR's Recommendations with Respect to the Personal Information Protection and Electronic Documents Act (PIPEDA) (S.C. 2000, c. 5). 2001; Available from: [http://www.cihr-irsc.gc.ca/e/documents/legal_analysis_e.pdf].
25. Commission regulation (EC) No 831/2002 o1 17 May 2002 on implementing council regulation (EC) No 322/97 on community statistics, concerning access to confidential data for scientific purposes. Official Journal of the European Communities, 2002.
26. Beach J. Health care databases under HIPAA: Statistical approaches to de-identification of protected health information. DIMACS Working Group on Privacy/Confidentilaity of Health Data. 2003.
27. American Public Health Association. Statisticians and de-identifying protected health information for HIPAA. 2005; Available from: [http://www.apha.org/membergroups/newsletters/sectionnewsletters/statis/fall05/2121.htm].
28. Brownlee C, Waleski B. Privacy Law. 2006: Law Journal Press.
29. Mike Gordin and the Minister of Health and the Privacy Commissioner of Canada: Memorandum of Fact and Law of the Privacy Commissioner of Canada. 2007; Federal Court.
30. Long M, Perrin S, Brands S, Dixon L, Fisher F, Gellman R. Privacy enhancing tools and practices for an electronic health record (EHR) environment: Phase 2 of a research report for Health Canada's Office of Health and the Information Highway. 2003; Health Canada.
31. Pabrai U. Getting Started with HIPAA. 2003: Premier Press.
32. El Emam K. Data Anonymization Practices in Clinical Research: A Descriptive Study. 2006; Health Canada, Access to Information and Privacy Division. 33. National Committee on Vital and Health Statistics. Report to the Secretary of the US Department of Health and Human Services on Enhanced Protections for Uses of Health Data: A Stewardship Framework for "Secondary Uses" of Electronically Collected and Transmitted Health Data. 2007.
34. Clause S, Triller D, Bornhorst C, Hamilton R, Cosler L. Conforming to HIPAA regulations and compilation of research data. Amercian Journal of Health-System Pharmacy, 2004; 61(10):1025-1031.
35. Duncan G, Jabine T, de Wolf S. Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics. 1993: National Academies Press.
36. de Waal A, Willenborg L. A view on statistical disclosure control for microdata. Survey Methodology, 1996; 22(1):95-103.
37. Office of the Privacy Commissioner of Quebec (CAI). Chenard v. Ministere de l'agriculture, des pecheries et de l'alimentation (141). 1997.
38. National Center for Education Statistics. NCES Statistical Standards. 2003; US Department of Education.
39. Cancer Care Ontario Data Use and Disclosure Policy. 2005; Cancer Care Ontario.
40. Security and confidentiality policies and procedures. 2004; Health Quality Council.
41. Privacy code. 2004; Health Quality Council.
42. Privacy code. 2002; Manitoba Center for Health Policy.
43. Subcommittee on Disclosure Limitation Methodology - Federal Committee on Statistical Methodology. Working paper 22: Report on statistical disclosure control. 1994; Office of Management and Budget.
44. Statistics Canada. Therapeutic abortion survey. 2007; Available from: [http://www.statcan.ca/cgi-bin/imdb/p2SV.pl?Function=getSurvey&SDDS=3209&lang=en&db=IMDB&dbg=f&adm=8&dis=2#b9]. Archived at: [http://www.webcitation.org/5VkcHLeQw].
45. Office of the Information and Privacy Commissioner of British Columbia. Order No. 261-1998. 1998.
46. Office of the Information and Privacy Commissioner of Ontario. Order P-644. 1994; Available from: [http://www.ipc.on.ca/images/Findings/Attached_PDF/P-644.pdf].
47. Alexander L, Jabine T. Access to social security microdata files for research and statistical purposes. Social Security Bulletin, 1978; 41(8):3-17.
48. Ministry of Health and Long Term care (Ontario). Corporate Policy 3-1-21. 1984.
49. El Emam K, Sams S. Anonymization case study 1: Randomizing names and addresses. 2007; Available from: [http://www.ehealthinformation.ca/documents/PACaseStudy-1.pdf]. Archived at: [http://www.webcitation.org/5OT8Y1eKp].
50. Numeir R, Lemay A, Lina J-M. Pseudonymization of radiology data for research purposes. Journal of Digital Imaging, 2007; 20(3):284-295.
51. Eguale T, Bartlett G, Tamblyn R. Rare visible disorders / diseases as individually identifiable health information. Proceedings of the American Medical Informatics Association Symposium. 2005.
52. El Emam K. De-identifying health data for secondary use: A framework. 2008; Available from: [http://www.ehealthinformation.ca/documents/SecondaryUseFW.pdf].
53. El Emam K, Dankar F, Vaillancourt R, Roffey T, Lysyk M. Evaluating patient re-identification risk from hospital prescription records. Canadian Journal of Hospital Pharmacy, 2009; 62(4):307-319.