Geographically masking health data to preserve confidentiality

The conventional approach to preserving the confidentiality of health recor ds aggregates all records within a geographical area that has a population large enough to ensure prevention of disclosure. Though this approach norma lly protects the privacy of individuals, the use of such aggregated data li mits the types of research one can conduct and makes it impossible to addre ss many important health problems. In this paper we discuss the design and implementation of geographical masks that not only preserve the security of individual health records, but also support the investigation of questions that can be answered only with some knowledge about the location of health events. We describe several alternative methods of masking individual-leve l data, evaluate their performance, and discuss both the degree to which we can analyse masked data validly as well as the relative security of each a pproach, should anyone attempt to recover the identity of an individual fro m the masked data. We conclude that the geographical masks we describe, whe n appropriately used, protect the confidentiality of health records while p ermitting many important geographically-based analyses, but that further re search is needed to determine how the power of tests for clustering or the strength of other associative relationships are adversely affected by the c haracteristics of different masks. Copyright (C) 1999 John Wiley & Sons, Lt d.