Utility-Aware Anonymization of Diagnosis Codes

The growing need for performing large-scale and low-cost biomedical studies has led organizations to promote the reuse of patient data. For instance, the National Institutes of Health in the U.S. requires patient-specific data collected and analyzed in the context of Genome-wide Association Studies (GWAS) to be deposited into a biorepository and broadly disseminated. While essential to comply with regulations, disseminating such data risks privacy breaches because patients´ genomic sequences can be linked to their identities through diagnosis codes. This paper proposes a novel approach that prevents this type of data linkage by modifying diagnosis codes to limit the probability of associating a patient´s identity to their genomic sequence. Our approach employs an effective algorithm that uses generalization and suppression of diagnosis codes to preserve privacy and takes into account the intended uses of the disseminated data to guarantee utility. We also present extensive experiments using several datasets derived from the electronic medical record (EMR) system of the Vanderbilt University Medical Center, as well as a large-scale case study using the EMRs of 79K patients, which are linked to DNA contained in the Vanderbilt University biobank. Our results verify that our approach generates anonymized data that permit accurate biomedical analysis in tasks including case count studies and GWAS.