On November 26, 2012, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance regarding methods for de-identifying protected health information (PHI) in accordance with the Heath Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance, which was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act as a part of the American Recovery and Reinvestment Act of 2009, explains and answers questions regarding the two methods covered entities and business associates can use to de-identify PHI under the HIPAA Privacy Rule. A copy of the guidance may be found here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf
The HIPAA Privacy Rule places tight restrictions on the use and disclosure of PHI. PHI includes individually identifiable health information held or transmitted by a covered entity or business associate in any form or medium, whether electronic, paper, or oral. PHI increasingly has the potential to facilitate beneficial studies by combining large and complex data sets from multiple sources. To mitigate the privacy risks to individuals and allow the secondary use of health information for studies, policy assessment, and other research, the Privacy Rule provides covered entities and business associates with two methods of removing identifiers from the health information: (1) the “expert determination method” and (2) the “safe harbor method.” Once the health information has been de-identified it is no longer protected by the Privacy Rule because it does not fall under the definition of PHI.
Expert Determination Method. The expert determination method to achieve de-identification of PHI in accordance with the HIPAA Privacy Rule provides that covered entities and business associates (to the extent the de-identification of PHI is authorized by their business associate agreement), may determine that health information is not PHI if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods applies such principles and methods and determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, to identify an individual who is the subject of the information. The expert must document the methods and results of such an analysis to justify the determination that the health information has been de-identified. The guidance provides information on who qualifies as an expert for this determination, the acceptable level of identification risk, and the length of time for which an expert determination is valid. The guidance also provides information on how experts will assess the risk of identification and what approaches and expert might take to mitigate the risk of identification.
Safe Harbor Method. The safe harbor method to achieve de-identification of PHI in accordance with the HIPAA Privacy Rule provides for the removal of eighteen identifiers including the name, phone number, social security number, and certain geographic information. In addition, the covered entity must not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The guidance provides clarification of specific de-identifying information. For instance, the guidance provides specific rules on the inclusion of a ZIP code (covered entities may include the first three digits of the ZIP code if the geographic unit formed by combing all ZIP codes with the same three initial digits contains more than 20,000 people or the initial three digits of the ZIP code for all such geographic units contain 20,000 or fewer people is changed to 000) and dates (any element of a date more specific than a year that relates to an event may not be included) in de-identified health information. The guidance also clarifies that the term “actual knowledge” means clear and direct knowledge that the remaining information could be used, either alone or in combination with other information to identify an individual who is the subject of the information. Thus a covered entity has actual knowledge if it concludes that the remaining information could be used to identify an individual, i.e., that the information is not actually de-identified information.
Please let us know if we may provide additional information regarding the HHS Office of Civil Rights’ guidance on methods for de-identifying protected health information under the HIPAA Privacy Rule.