Responsibly Using And Disclosing De-identified Data Under The HIPAA Privacy Rule

Moderated by:
Ann Waldo (Wittie, Letsche & Waldo, LLP)
Khaled El Emam (Children's Hospital of Eastern Ontario - Research Institute & University of Ottawa), David Houlding (Intel)
Location: Plaza Room A Level: Intermediate

Organizations, both private and public sector are sitting on large amounts of valuable health data – whether they are researchers, pharmaceutical companies, healthcare providers, health IT developers, insurers, or claims processors. The value in this data can be unlocked to improve efficiencies and to create new business opportunities, from public health to leading edge research, if the data can be used and disclosed. Because some of these usage models also bring privacy and security risks, effective risk mitigation is essential. De-identification, as part of a multi-layered approach, is a key safeguard that can be used to mitigate key risks. The HIPAA Privacy Rule provides mechanisms for using and disclosing health data responsibly without the need for patient authorization. These mechanisms focus on the HIPAA de-identification standards. In this tutorial we will describe the de-identification standards in HIPAA, how to interpret them in a practical manner, and how to apply the HIPAA de-identification standards to de-identify health data in a defensible way. We will also look at how de-identification can be used within a broader, holistic privacy and security practice.

Attendees will:

  • Get an introduction to the motivations for and general concepts around the de-identification of health information
  • Understand the HIPAA Privacy Rule de-identification standards and how they can be operationalized
  • Learn through examples how data sets can be de-identified and disclosed, and how they can still retain significant utility for sophisticated analytics
Photo of Ann Waldo

Ann Waldo

Wittie, Letsche & Waldo, LLP

Ms. Waldo’s law practice is focused on privacy, information security and health care issues. She is experienced in advising clients regarding privacy compliance, risk management, information security, marketing, international data transfers, and integrating privacy goals into business strategies. She counsels and represents clients regarding public policy, external relations, and government relations matters in the fields of privacy and health care.

Ms. Waldo served as an in-house lawyer for much of her career. She was the global Chief Privacy Officer for Lenovo, a large international computer manufacturer, where she was responsible for compliance with privacy laws applicable to marketing, human resources, international data transfers, and product development. She also represented the company’s public policy positions in domestic and international privacy conferences and negotiations. She previously led privacy compliance as Chief Privacy Officer for Hoffmann-La Roche, a large international pharmaceutical company, and worked in public policy for GlaxoSmithKline, providing legislative support on privacy and other matters. She was actively involved with the International Pharmaceutical Privacy Consortium. She served as in-house counsel at IBM, working on consumer protection, marketing, and e-business. Prior to her work at IBM, she had been a commercial litigator and had handled tax legislation for a state legislature.

She counsels clients on consumer-law privacy matters, which apply to businesses in general, as well as privacy laws specific to the health care sector (HIPAA and HITECH). She has particular interest in and experience with emerging technologies that handle sensitive health information, such as personal health records, genetics-related companies, and Health Information Exchanges. She has served on the Personal Health Record work group for the Certification Commission on Health Information Technology, has advised a state Health Information Exchange, and currently serves on the Board of Advisors for the Harvard SHARP grant on substitutable electronic health record components.

A frequent public speaker, Ms. Waldo is active in the International Association of Privacy Professionals and the Carolina Privacy Officials Network, has consulted with foreign governments regarding privacy laws, and has represented the United States government in APEC privacy talks in Korea and Australia. She is a Certified Information Privacy Professional.

Photo of Khaled El Emam

Khaled El Emam

Children's Hospital of Eastern Ontario - Research Institute & University of Ottawa

Dr. Khaled El Emam is an Associate Professor at the University of Ottawa, Faculty of Medicine, a senior investigator at the Children’s Hospital of Eastern Ontario Research Institute, and a Canada Research Chair in Electronic Health Information at the University of Ottawa. His main area of research is developing techniques for health data de-identification or anonymization and secure disease surveillance for public health purposes. Previously Khaled was a Senior Research Officer at the National Research Council of Canada, and prior to that he was head of the Quantitative Methods Group at the Fraunhofer Institute in Kaiserslautern, Germany. He has co-founded two companies to commercialize the results of his research work. In 2003 and 2004, he was ranked as the top systems and software engineering scholar worldwide by the Journal of Systems and Software based on his research on measurement and quality evaluation and improvement, and ranked second in 2002 and 2005. He holds a Ph.D. from the Department of Electrical and Electronics, King’s College, at the University of London (UK). His website is He is very influential and a thought leader in the privacy and health information space. In addition, he is one of only a handful of individuals known worldwide to be qualified to de-identify personal health information.

Photo of David Houlding

David Houlding


David Houlding is the Healthcare Privacy & Security Lead Architect at Intel, with 20 years of experience in healthcare, enterprise architecture and privacy & security. David is responsible for tracking healthcare trends, privacy & security risks they drive, and best practices for managing risks globally. As the former Lead Architect for the Intel Health Guide System, and prior to that the Chief Architect of Perot Systems Healthcare Payer Systems, David has extensive experience in healthcare (provider and payer) and privacy & security. With several patents granted by the USPTO, David has a proven track record for innovation. David is a CISSP (Certified Information Systems Security Professional), a CIPP (Certified Information Privacy Professional), and has a Master of Applied Science in Data Compression and Digital Signal Processing from Simon Fraser University, British Columbia, Canada. David has presented keynotes and sessions, and participated in panel discussions at numerous major industry conferences including HIMSS, mHealth Summit, HealthTech NextGeneration, InfoSec, NIST HIPAA Security Conference, iHT2 Health IT Summit, NIST Security Automation Conference, Enterprise Architecture Practitioners Conferences, Innovation Insights, and several other conferences. He has published and contributed to numerous articles in major trade journals including Healthcare Technology Online and Dr. Dobb’s Journal. David has also made contributions to book publications including XML Unleashed, and has been interviewed for newspaper and other articles.


For information on exhibition and sponsorship opportunities at the conference, contact Sharon Pierce at (203) 304-9476 or

For information on trade opportunities with O'Reilly conferences contact mediapartners

For media-related inquiries, contact Maureen Jennings at

View a complete list of Strata Rx contacts