The growing adoption of health information technologies in the United States quickens their potential to enable beneficial studies that combine large, complex data sets from various sources. De-identification – the process by which identifiers are removed from the health information – diminishes privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors. 

This week, the Office of Civil Rights (OCR) released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule. The guidance clarifies and responds to questions regarding the different methods that can be used to satisfy the Privacy Rule’s de-identification standard: expert determination and safe harbor.

What Happened

The Privacy Rule was intended to protect individually identifiable health information through allowing only specific uses and disclosures of PHI provided by the Privacy Rule, or as authorized by the individual subject of the information. However, acknowledging the potential utility of health information even for an unidentifiable individual, §164.502(d) of the Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by allowing for de-identification through the standards and implementation specifications in §164.514(a)-(b). These provisions allow the entity to use and disclose information that neither identifies nor provides a reasonable basis to identify an individual.

The ARRA of 2009 mandated that the Department of Health and Human Services issue guidance regarding the de-identification of PHI. As a result, OCR gathered research and opinions regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns. OCR sought input from experts with practical, technical and policy experience to assist with the creation of guidance materials by conducting an in-person workshop consisting of multiple panel sessions that addressed specific topics related to de-identification procedures and policies. This guidance is meant to assist covered entities in understanding what de-identification is, the general process by which de-identified information is produced, and the options available for de-identifying PHI.

The Privacy Rule puts forth two de-identification methods: (1) a formal determination by a qualified expert (“Expert Method”); and (2) the removal of certain individual identifiers in addition to a lack of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (“Safe Harbor Method”). The Privacy Rule does not restrict the use or disclosure of health information that has been properly de-identified through one of these methods.

Expert Method

Under the Expert Method, a covered entity or business associate relies on an expert in the field of data de-identification to identify a manner or method of de-identifying the health information in question (e.g., suppression, generalization, perturbation, etc.). Health information is deemed properly de-identified under the Expert Method if and only if the expert is willing to certify that there is a “very small” risk that the intended recipient of the de-identified health information can use such health information, alone or in combination with other reasonably available information, to identify the individual(s) who are the subjects of the de-identified health information. The expert makes this determination based on a risk assessment which analyzes the (1) the replicability of the information, (2) the availability of other data sources containing similar information, and (3) the distinguishability of the information. For purposes of the Privacy Rule, a data de-identification expert is an individual with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable.

Safe Harbor Method

The Safe Harbor Method involves the removal from the health information in question of numerous types/categories of information that specifically identify the individual(s) who are the subject of such health information. These identifiers include, inter alia, name, date of birth, address, all geographic subdivisions smaller than a state (including zip codes), telephone numbers, fax numbers, medical record numbers, social security numbers, photographs, etc.

Additionally, even after the removal of all such identifiers, a covered entity or business associate has not achieved de-identification if it has actual knowledge of the fact that the remaining information could still be used, alone or in combination with other reasonably available information, to identify the individual(s) who are the subjects of such information. In this context, actual knowledge means clear and direct knowledge that the remaining information could be used, alone or in combination with other reasonably available information, to identify the individuals who are the subjects of the information.

What It Means

OCR’s newly provided guidance on the de-identification of health information provides critical guidance to covered entities and business associates who are often asked by non-covered entities and non-business associates (“Outside Entities”) to disclose health information in connection with the development of technology or products by such Outside Entities. For example, if a hospital is asked by a disease management company to disclose health information about the patients it has treated for a particular condition to assist the disease management company in developing a new protocol or clinical pathway for the treatment/management of such condition, the new guidance provides explicit information about the steps the hospital can take to properly de-identify the health information in question thereby facilitating the disclosure of such health information to the disease management company. In doing so, this guidance provides greater certainty for covered entities and business associates interested in providing this type of health information to Outside Entities and, as a result, greater availability of health information for Outside Entities.