No other country has developed a more rigorous or detailed guidance for how to convert personal data covered by privacy regulations into non-personal data (see Table 2). Indeed, clinical-research organizations rarely use the "safe harbor" and "limited data set" options because they must strip out so much information -- particularly dates of service and discharge -- that it makes the remaining data almost worthless from a clinical-research perspective.

What's the benefit to America of this obscure de-identification rule? It enables health care organizations that otherwise wouldn't have been able to use patient data to convert it into a format they can use for a range of other purposes. These other purposes include improving the efficacy of drugs and medical devices and identifying the optimal places to build new health care facilities.

And I haven't heard of a single case of a de-identified data set being breached by criminals and re-identified. I checked the major running tallies of data breaches -- , , the and -- and came up empty.

It's probably because there's far less economic incentive for a criminal to go after medical data instead of credit card information. It's harder to monetize the fact that I know that Judy Smith of Peoria has heart disease -- by filing false claims in her name, for example -- than to have Judy's credit card number and expiration date. If I'm a criminal with advanced data skills and I have a day to spend, I'm going to go after financial data and not health data.

That's why I'm biased in favor of the HIPAA de-identification criteria. I think they advance public health without compromising privacy. But the activists calling for change make some arguments worth considering.