Pseudonymization is a de-identification process that has gained traction due to the adoption of GDPR, where it is referenced as a security and data protection by design mechanism. The application of pseudonymization to electronic healthcare records aims at preserving the patient's privacy and data confidentiality.
In the US, HIPAA provides guidelines on how healthcare data must be handled, while data de-identification or pseudonymization is considered to simplify HIPAA compliance. According to GDPR, if pseudonymization is properly applied can lead to the relaxation, up to a certain degree, of data controllers’ legal obligations.
Even though pseudonymization is a core technique for both GDPR and HIPAA, there are significant differences in the legal status of the generated data. Under GDPR, pseudonymous data is still personal data, while under HIPAA it can be shared provided that the correct data fields are pseudonymized.
Definition of Pseudonymization
Article 4(5) of the GDPR defines pseudonymization as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” However, the Regulation notes that the process of de-identifying data is not irreversible and is subject to provisions such as that “such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
It must be noted that pseudonymization is different from anonymization, which is defined in ISO/TS 25237:2017 as the “process by which per ..
Support the originator by clicking the read the rest link below.
