How to Implement L‑Diversity in Healthcare Data: Step‑by‑Step Guide with Examples

Understanding L-Diversity Privacy Model

L-Diversity strengthens k-anonymity by requiring that each equivalence class—records sharing the same quasi-identifiers—contains at least L well-represented values for the sensitive attributes. This reduces the risk of inference attacks, homogeneity attacks, and downstream data deanonymization even when an attacker knows the quasi-identifiers.

You typically apply L-Diversity after or alongside k-anonymity. k-anonymity hides individuals within groups of size k, but if everyone in a group has the same diagnosis, an adversary still learns that diagnosis. L-Diversity forces diversity in those sensitive values so that learning group membership does not reveal the attribute.

Key concepts

• Quasi-identifiers (QIs): Attributes such as age, sex, ZIP code, and visit date that can re-identify a person in combination.
• Sensitive attributes: Data like diagnosis codes, procedures, medications, or genetic markers that you aim to protect.
• Equivalence classes: Groups formed by identical QI values after generalization/suppression.

Common L-Diversity variants

• Distinct L-Diversity: Each class contains at least L distinct sensitive values.
• Entropy L-Diversity: The entropy of sensitive values in a class is at least log(L), preventing near-dominance by one value.
• Recursive (c,L)-Diversity: The most frequent value is bounded so it cannot overwhelm the minority values.

Choose L relative to risk tolerance and data sparsity. For moderate-risk releases, L=2–3 is common; for highly sensitive releases, consider larger L or pair with stronger models.

Identifying Quasi-Identifiers in Healthcare Data

Start by classifying columns into direct identifiers, quasi-identifiers, and sensitive attributes. Remove direct identifiers entirely (names, SSN, full address, phone). Then isolate QIs that are broadly available externally or show high uniqueness when combined.

Typical QIs in patient datasets

• Demographics: age or date of birth, sex, race/ethnicity.
• Geography: ZIP code (coarsen to ZIP3), county, state.
• Time: admission date, discharge date, visit month/year (coarsen to months or quarters).
• Care context: facility type, service line, payer type (often generalized).

Practical steps to select QIs

• Uniqueness scan: Compute distinct counts for single columns and combinations to see which fields create rare tuples.
• External availability check: Prefer treating attributes as QIs if they are likely known (e.g., age and ZIP) or easily searchable.
• Generalization readiness: Prefer QIs you can place on clear hierarchies (age → age bands; ZIP5 → ZIP3 → state).

Define sensitive attributes you will protect—commonly diagnosis (ICD codes), procedures (CPT/HCPCS), genomic results, or mental health indicators. Your L-Diversity constraint will apply to each selected attribute or to a composite view.

Forming Equivalence Classes

After selecting QIs, create generalization hierarchies and group records. The goal is to ensure every group meets both k-anonymity (size ≥ k) and L-Diversity.

Example generalizations

• Age → 5- or 10-year bands: 0–9, 10–19, …, 80–89, 90+.
• ZIP5 → ZIP3 → State.
• Visit date → Month → Quarter → Year.

Illustrative grouping

QI = {ZIP3, AgeBand, Sex}
SA = {Diagnosis}

ZIP3 AgeBand Sex | Diagnosis
-----------------|----------
021   30–39   F  | Asthma
021   30–39   F  | Migraine
021   30–39   F  | Diabetes

Equivalence class: (021, 30–39, F)
- Size (k) = 3
- Distinct diagnoses = 3 → distinct L-Diversity holds for L ≤ 3

If a class fails k or L, increase generalization (e.g., merge 30–39 with 40–49; move ZIP3 to state) or apply limited suppression to outliers.

Ensuring Sensitive Attribute Diversity

Decide which variant of L-Diversity to enforce and set thresholds. Distinct L-Diversity is simple to explain to stakeholders, while entropy or recursive diversity better handles skewed distributions.

How to test L-Diversity per class

• Distinct: count unique sensitive values; require count ≥ L.
• Entropy: compute H = −∑ pᵢ log pᵢ over sensitive values in the class; require H ≥ log L.
• Recursive (c,L): sort sensitive value counts descending; require the most frequent value ≤ c × sum of the remaining, and at least L distinct values.

For multiple sensitive attributes, you can enforce L on each independently, or enforce it on a combined code space (e.g., top-level ICD block), which often preserves more utility while still mitigating inference attacks.

Edge cases to watch

• Skew: If one diagnosis dominates the dataset, pure distinct L-Diversity may pass while still leaking information; use entropy or recursive variants.
• Rare conditions: Aggregating to higher-level categories (e.g., ICD blocks) can satisfy L without excessive suppression.
• Small subpopulations: Consider higher k before enforcing L to reduce re-identification risks for minority groups.

Filtering Non-Compliant Classes

Once you compute diversity metrics, filter classes that fail and apply remediation. Always track a suppression budget and information-loss metrics to avoid destroying utility.

Remediation strategies

• Generalize QIs further: widen age bands, move ZIP to state, reduce date precision.
• Aggregate sensitive attributes: roll ICD-10 codes to chapter/block for diversity while preserving clinical meaning.
• Local suppression: remove or mask a small set of high-risk rows within a class.
• Top/bottom coding: cap extreme ages (e.g., 90+) to reduce uniqueness.

Iterate until all classes meet both k and L or until you hit predefined limits. If utility drops below an agreed threshold, reconsider the attribute set, the target L, or the release granularity.

Applying L-Diversity with Programming Tools

You can implement L-Diversity using general-purpose data tools or specialized anonymization frameworks. Below is a compact Python workflow that generalizes QIs, forms equivalence classes, and checks multiple L-Diversity variants.

Python (pandas) example

import pandas as pd
import numpy as np
from math import log