FHIR Chat · Anonymous Patients · implementers

Stream: implementers

Topic: Anonymous Patients

view this post on Zulip Jim Price (Feb 18 2019 at 15:35):

Hello, I am new to FHIR and was looking to get guidance on how others treat anonymous patients. Our system currently supports patients with no first name but a middle name as a form of anonymity, but this is unsupported in FHIR as the middle name would get rolled up to the first name. I see that you can have a name field with a type anonymous. What would you expect for a patient who should remain anonymous? Two name fields, one official, one anonymous, or just the anonymous field with the family/given names filled out? Thankful for any guidance

view this post on Zulip Patrick Werner (Feb 18 2019 at 15:43):

not sure if i understood the problem correct, but why not omit the whole HumanName for anonymous patients?

view this post on Zulip Jim Price (Feb 18 2019 at 15:45):

I would think you still want a means of identifying the patient somehow, even if just internally. The goal is to not include the patient's name on any displays. You would still want a means of tying patient records together, as well as distinguishing between anonymous patients.

view this post on Zulip Patrick Werner (Feb 18 2019 at 15:55):

then i would populate a indentifier element with a unique identifier for this patient and don't contain a HumanName Element

view this post on Zulip Lloyd McKenzie (Feb 18 2019 at 16:08):

Just withholding the first name won't necessarily create much anonanymity. Some patients may have distinctive (and well-known) middle names. Others might not have a middle name at all. However, if you want to give the patient some sort of a pseudonym for anonymity purposes, you can use this extension: http://hl7.org/fhir/extension-iso21090-en-use.html. The code "ANON" should work.

view this post on Zulip John Moehrke (Feb 18 2019 at 16:09):

There is some text in the FHIR specification on this topic -- http://build.fhir.org/secpriv-module.html#deId

view this post on Zulip John Moehrke (Feb 18 2019 at 16:11):

There are standards that guide you on how to use pseudonymization to create various types of reversable methods. The one you use will depend on the use-case that is an authorized re-identification. https://healthcaresecprivacy.blogspot.com/2014/06/de-identification-process-reduce-risk.html

view this post on Zulip Stefan Lang (Feb 18 2019 at 16:15):

As an addition, what you are talking about is supposedly pseudonymization, not anonymization (see John's second link)

view this post on Zulip John Silva (Feb 18 2019 at 22:48):

In HL7 V2 the ADT PID XPN (eXtended Person Name) had a Name Type property from table 0200 and this has a value of:

S Coded Pseudo-Name to ensure anonymity

Is there an equivalent way of encoding the HumanName FHIR property with a type qualifier?

(I think the use case for this was a VIP patient whose real name is meant to be hidden, not necessarily for de-identified patient naming.)

view this post on Zulip Lloyd McKenzie (Feb 18 2019 at 22:49):

Yes, as mentioned above, you can use the iso21090-en-use extension.

view this post on Zulip Jim Price (Feb 19 2019 at 14:42):

Yes, as John Silva mentioned, the use case was for VIPs. We already have a solution for de-identified patient naming

view this post on Zulip John Moehrke (Feb 19 2019 at 14:53):

even for VIP use, why would middlename be an allowed risk? For a VIP patient, I would expect a very pseudo Patient resource. For which the name can be all made up. I recall common situations where a VIP is given an alias, which would seem useful to put into the name element.

view this post on Zulip Michael Donnelly (Feb 25 2019 at 21:32):

Assigning a pseudonym is great. Another option is not to return VIP patients at all.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -