On Nov. 26, 2012, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced the release of a guidance document (dated Sept. 4, 2012) regarding methods for the de-identification of protected health information (PHI) in accordance with the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In Section 13424(c) of the Health Information Technology for Economic and Clinical Health Act of 2009, Congress mandated that HHS issue the guidance.
The Privacy Rule sets forth the standard for de-identification of PHI at 45 C.F.R. § 164.514(a). Under the standard, health information is not “individually identifiable” if it does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. The Privacy Rule sets forth two methods that may be used to satisfy the Privacy Rule’s de-identification standard: i.e., expert determination and a safe harbor.
According to the OCR, the process of de-identification of health information (i.e., the removal of identifiers) is important because it “mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.”
Guidance on Satisfying the Expert Determination Method
Under the expert determination method of de-identification of PHI, a covered entity may determine that health information is not individually identifiable if a person with “appropriate knowledge of and experience with generally acceptable statistical and scientific principles and methods for rendering information not individually identifiable (i) applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) documents the methods and results of the analysis that justify such determination.”
The guidance describes the factors that the OCR will consider in evaluating the qualifications of an “expert” who is engaged to determine whether health information is de-identified. The OCR also explains in some detail how experts assess the risk of identification of information using three key principles in such an evaluation, i.e., the replicability, availability and distinguishability of the applicable data. In addition, the OCR explains that some de-identification practitioners use the approach of time-limited certifications of de-identification in recognition that technology, social conditions and availability of information change over time, necessitating periodic reassessments of the risk of identification of information previously determined to be de-identified.
This section of the guidance will be most helpful to health care providers, health plans and their business associates in assessing the qualifications of an expert and understanding the process by which a de-identification determination is reached, but cannot itself substitute for an expert’s determination that health information has been sufficiently de-identified under the standard.
Guidance on Satisfying the Safe Harbor Method
The safe harbor method of de-identification of PHI is less subjective than the expert determination method and may be used without consultation with an expert. To satisfy the de-identification standard under the safe harbor, a covered entity must remove all 18 enumerated identifiers from the data to be disclosed, in addition to having no actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information.
The guidance answers frequently asked questions regarding ZIP Codes, treatment dates and other potentially identifying numbers, characteristics and codes. In addition, the guidance provides examples of what constitutes “actual knowledge” that information remaining after de-identification could be used to identify an individual who is the subject of the information. Finally, the guidance explains that once data is de-identified in accordance with the safe harbor, a covered entity need not enter into a data use agreement in order to share the de-identified information with a third party. However, a covered entity is not prohibited from using such agreement, which may contractually prohibit the re-identification of such information by the recipient.
The guidance demonstrates that a determination that a data set is de-identified may be a complex undertaking. Individuals and organizations that are covered entities should consult the guidance prior to any determination that certain health information is de-identified in accordance with the HIPAA de-identification standard under either method.