Comments provided on RIN 0991–AB78: http://ow.ly/6vj4w
Regarding Metadata Standards to Support Nationwide Electronic Health Information Exchange
In this response, we do not address the specific questions posed in the metadata ruling proposal, but rather we argue that these metadata standards solve nothing while creating major security risks for patients. The PCAST Report argues for tagged data elements for many important reasons:
The best way to manage and store data for advanced data-analytical techniques is to break data down into the smallest individual pieces that make sense to exchange or aggregate. These individual pieces are called “tagged data elements” (TDEs), because each unit of data is accompanied by a mandatory “metadata tag” that describes the attributes, provenance, and required security protections of the data. Universal exchange languages for metadata-tagged data, called “extensible markup languages” are widely and successfully used.
One important feature of such a universal exchange language (UEL) is that they can securely hide associations among the data, since the TDEs can be disassociated from other TDEs making them impossible to be aggregated again without adequate authorization which provides the tools for rebuilding the linkages among the TDEs which adds an additional level of security above and beyond that provided by encryption alone. Putting metadata tags at the document level simply makes the information easier to find, but it also makes it easier to identify who the information describes since once the document is located, decryption alone gives full access to a set of information about the individual. If the metadata is the actual patient identifier information, how can this data be maintained as deidentified?
Regarding Metadata Standards to Support Nationwide Electronic Health Information Exchange
Comments provided on RIN 0991–AB78: http://ow.ly/6vj4w
Regarding Metadata Standards to Support Nationwide Electronic Health Information Exchange
In this response, we do not address the specific questions posed in the metadata ruling proposal, but rather we argue that these metadata standards solve nothing while creating major security risks for patients. The PCAST Report argues for tagged data elements for many important reasons:
The best way to manage and store data for advanced data-analytical techniques is to break data down into the smallest individual pieces that make sense to exchange or aggregate. These individual pieces are called “tagged data elements” (TDEs), because each unit of data is accompanied by a mandatory “metadata tag” that describes the attributes, provenance, and required security protections of the data. Universal exchange languages for metadata-tagged data, called “extensible markup languages” are widely and successfully used.
One important feature of such a universal exchange language (UEL) is that they can securely hide associations among the data, since the TDEs can be disassociated from other TDEs making them impossible to be aggregated again without adequate authorization which provides the tools for rebuilding the linkages among the TDEs which adds an additional level of security above and beyond that provided by encryption alone. Putting metadata tags at the document level simply makes the information easier to find, but it also makes it easier to identify who the information describes since once the document is located, decryption alone gives full access to a set of information about the individual. If the metadata is the actual patient identifier information, how can this data be maintained as deidentified?