The HHS Office of Civil Rights (OCR) recently released guidance intended to assist covered entities in understanding what de-identification is, the general process by which de-identified information can be created, and the options available for carrying out de-identification under the HIPAA Privacy Rule. The long-awaited "Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule" (Guidance) does not introduce any new rules or concepts related to de-identification of protected health information (PHI), but instead seeks to assist covered entities in understanding and properly applying the two methods of de-identification provided in the HIPAA Privacy Rule.
De-identification has become an increasingly important issue for covered entities due to the accelerated adoption of health information technologies, which allows for the combination, exchange and beneficial study of large and complex health information data sets. However, much of the individually identifiable health information required to build these data sets is considered PHI under the HIPAA Privacy Rule, which protects the security, privacy and confidentiality of an individual’s health information by permitting only certain uses and disclosure of that information.
HIPAA Privacy Rule De-Identification Standards
The HIPAA Privacy Rule provides two methods for complying with the de-identification standard:
Expert Determination – A covered entity may determine that health information is de-identified if a person with appropriate knowledge of and experience with generally accepted scientific principles and methods for de-identifying information determines the risk that information could be used by an anticipated recipient, alone or in combination with reasonably available information, to identify the subject of the information is very small, and the methods and results of the analysis justifying that determination are documented.
Safe Harbor – A covered entity may determine that health information has been de-identified when all "identifiers" of the individual or of relatives, employers, or household members of the individual are removed from the information and the covered entity has no actual knowledge that the information could be used alone or in combination with other information to identify the individual. The HIPAA Privacy Rule includes a list of 18 identifiers that must be removed in order to properly de-identify health information.
According to the Guidance, both de-identification methods, even if properly applied, retain some element of identification risk.
De-Identification Guidance Q & A
The Guidance contains a list of frequently asked questions and answers, examples of which are paraphrased below:
Expert Determination Method
Who is an expert? There is no specific degree or certification requirement for an expert, and appropriate expertise can be gained through various combinations of education and experience in the statistical, mathematical or other scientific domains. In terms of enforcement, OCR will review the expert’s relevant professional experience and academic training as well as the expert’s actual experience with de-identification.
How do experts assess the risk of identification of information? OCR does not require a single universal method of assessing the risk of identification for de-identified information so long as the documented analysis justifies the expert’s determination. However, stakeholders have indicated that the following steps should be followed: (1) the expert should consult with the covered entity to determine the appropriate statistical or scientific methods to use to mitigate the risk of identification; (2) the expert should apply those methods to PHI; (3) the expert should assess the remaining risk of identification; and (4) if the risk of identification is very small, the expert must document the methods and results to justify the determination.
Safe Harbor Method
May parts or derivatives of the listed elements be disclosed consistent with the safe harbor method? No. For example, a data set containing patient initials or the last four digits of a social security number would not meet the requirements of the safe harbor method of de-identification.
What is considered actual knowledge that the remaining information could be used to identify an individual who is a subject of the information? According to the Guidance, actual knowledge means "clear and direct" knowledge that the information could be used, either alone or in combination with other information, to identify the information’s subject, or awareness that the information has not actually been de-identified.
If you would like assistance in developing de-identification policies and procedures, please contact Lynn Sessions at email@example.com or 713.646.1352 or Cory J. Fox, firstname.lastname@example.org or 713.646.1358.