On November 26, 2012, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released guidance about methods and approaches for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule. This guidance was required to be provided by HHS under the HITECH Act and helps covered entities and their business associates understand the process and options available for properly de-identifying PHI. As a result, now may be a good time for covered entities to consider reviewing their PHI policies to confirm they are consistent with this OCR guidance. Also, to the extent a covered entity has engaged a business associate to assist with de-identification of PHI, covered entities may want to review their business associate agreements to confirm that their business associates are required to follow this OCR guidance as well.
The HIPAA Privacy Rule protects most PHI held or transmitted by a covered entity or its “business associate,” in any form or medium, whether electronic, on paper or oral. PHI includes individuals identifying information that relates to the individual’s health condition or care. The Privacy Rule applies to PHI held by covered entities, which are health care providers, health clearinghouses and health plans, or their business associates, which are any persons or entities that perform certain services to a covered entity that involve use or disclosure of PHI.
The HIPAA Privacy Rule was designed to protect PHI by permitting only certain uses and disclosures, unless authorized by the individual subject of the PHI. In recognition of the potential utility of health information when it is not individually identifiable, the Privacy Rule permits a covered entity or its business associate (to the extent permitted by the covered entity in its business associate agreement) to de-identify PHI by complying with a de-identification standard and following one of two de-identification methods:
- A formal determination by a qualified expert; or
- The removal of specified individual identifiers as well as absence of actual knowledge that the remaining information could be used to identify the individual.
The OCR guidance is provided in a question and answer format that is relatively easy to read given the rather technical nature of the HIPAA Privacy Rule. The guidance includes, for example, questions and answers regarding permitted methods for experts to assess the risk that health information can be identified (answer: no one method is required, although several potential methods are acceptable) as well as when ZIP codes can be included in de-identified information (answer: the first three digits can be included if certain population density requirements are met).
The Q&A was developed by the OCR in collaboration with the public during a March 2010 workshop in Washington, D.C., consisting of panel sessions on topics related to identification methodologies and policies. Accordingly, the guidance can be viewed as industry “best practices” that has now received the endorsement of the OCR. As a result, a covered entity (or its business associate) that uses a de-identification method that does not comply with this OCR guidance now runs the risk of violating the HIPAA Privacy Rule.