# Best Practices in Evolving Privacy Frameworks for Patient Age Data: Census Data Study

**Authors:** Colin Moffatt, Jonah Leshin

PMC · DOI: 10.2196/47248 · JMIR Formative Research · 2024-03-25

## TL;DR

This paper suggests increasing the age threshold in privacy rules to improve data utility while keeping privacy risks the same, based on U.S. census data trends.

## Contribution

A method for updating HIPAA age thresholds using census data to maintain privacy while increasing data utility.

## Key findings

- The age threshold in HIPAA can be increased by at least 2 years without exceeding original privacy risks.
- For subgroups with higher longevity, such as females, the threshold can be raised even further.
- Regular updates to age thresholds are recommended to align with demographic changes.

## Abstract

Over the previous 4 decennial censuses, the population of the United States has grown older, with the proportion of individuals aged at least 90 years old in the 2010 census being more than 2 and a half times what it was in the 1980 census. This suggests that the threshold for constraining age introduced in the Safe Harbor method of the HIPAA (Health Insurance Portability and Accountability Act) in 1996 may be increased without exceeding the original levels of risk. This is desirable to maintain or even increase the utility of affected data sets without compromising privacy.

In light of the upcoming release of 2020 census data, this study presents a straightforward recipe for updating age-constrained thresholds in the context of new census data and derives recommendations for new thresholds from the 2010 census.

Using census data dating back to 1980, we used group size considerations to analyze the risk associated with various maximum age thresholds over time. We inferred the level of risk of the age cutoff of 90 years at the time of HIPAA’s inception in 1996 and used this as a baseline from which to recommend updated cutoffs.

The maximum age threshold may be increased by at least 2 years without exceeding the levels of risk conferred in HIPAA’s original recommendations. Moreover, in the presence of additional information that restricts the population in question to a known subgroup with increased longevity (for example, restricting to female patients), the threshold may be increased further.

Increasing the maximum age threshold would enable the data user to gain more utility from the data without introducing risk beyond what was originally envisioned with the enactment of HIPAA. Going forward, a recurring update of such thresholds is advised, in line with the considerations detailed in the paper.

## Full-text entities

- **Diseases:** HIPAA (OMIM:603663)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC11002729/full.md

## Figures

4 figures with captions in the complete paper: https://tomesphere.com/paper/PMC11002729/full.md

## References

18 references — full list in the complete paper: https://tomesphere.com/paper/PMC11002729/full.md

---
Source: https://tomesphere.com/paper/PMC11002729