Escaping HIPAA: New Guidance on De-Identifying Health Information


[author: Adam H. Greene]

HIPAA places tight restrictions on the use and disclosure of protected health information, but there are many ways to “de-identify” it, freeing it from HIPAA’s constraints. Covered entities and business associates can use de-identification to reduce their exposure to HIPAA and expand their use of health data. On Nov. 26, 2012, the HHS Office for Civil Rights released guidance on how health information may be de-identified. While the guidance does not break much new ground, it offers some helpful clarification.

The guidance on de-identification, which was mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, part of the American Recovery and Reinvestment Act of 2009, discusses the two methods of de-identification under HIPAA: (1) the “expert determination method” and (2) the “safe harbor method.”

The expert determination method involves a person with appropriate statistical and scientific knowledge and experience determining that the risk of identification is “very small.” The guidance discusses techniques for reducing the risk of identification. The guidance confirms that the expert may rely on traditional statistical techniques, contractual protections such as a data use agreement, and cryptographic techniques such as “hashing” to reduce the risk of identification. These techniques allow retention of more dates and geographic information and can allow linkage of multiple de-identified data sets.

The safe harbor method involves the removal of 18 identifiers and the covered entity not having actual knowledge that the resulting information can be used to identify an individual. The guidance makes plain how stringent this method can be, confirming that any element of a date more specific than a year that relates to an event may not be included. The guidance clarifies what is meant by “actual knowledge.” Knowing that a data set includes a unique characteristic, such as a unique employment position, means that the information does not pass the safe harbor test. In contrast, merely knowing that there is a risk of identification, such as knowledge of a study suggesting that a data set could be re-identified, does not cause a data set to fail the safe harbor test. Knowledge of publicity, such as knowledge that a particular clinical case has been the subject of news reports, can cause information to fail the safe harbor set.

The guidance teaches two key lessons. First, health information generally is considered to be individually identifiable unless some stringent requirements are met. It is important for members of the workforce to know that seemingly anonymous pieces of information may fail the de-identification tests (e.g., because they implicate a date). Second, with the use of an appropriate expert, there remains ways to de-identify information while retaining important properties that otherwise might be lost through application of the safe harbor method.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.