HIPAA’s De-Identification Guidance and Role of Expert Evaluations

In mid-January, HHS' Office of Civil Rights (OCR) issued the final rule modifying HIPAA. The modification significantly expanded and revised the existing HIPAA privacy, security, enforcement, and breach notification rules. Under the new rule, de-identification remains in full effect; once individually identifiable health information or protected health information (PHI) is “de-identified” it is no longer PHI subject to HIPAA.

HHS recently issued separate guidance that finally evaluates when PHI is properly de-identified. As previously discussed, there are two methods: the safe harbor method of removing 18 specific identifiers and the expert method.

In the expert method, HHS allows the use of an expert to conduct an identification risk assessment to determine that the risk of identifying the individual who is the subject of the information either alone or in combination with other reasonably available information is very small.

When evaluating identification risk, an expert is advised to consider the degree to which the data can be linked to a data source that reveals the individual’s identity. The strength of “linkage” hinges on whether the data is distinguishing or unique, there is a naming data source, and a mechanism to relate the de-identified and identified data sources. Inability to design a relational mechanism would prevent a third party’s ability to “achieve success to no better than random assignment of de-identified data and named individuals. The lack of a readily available naming data source does not mean the data is sufficiently protected from future identification, but it is difficult to re-identify an individual or a group of individuals, given the data sources at hand,” according to HHS.

The route by which health information can be linked to naming sources or where sensitive knowledge can be inferred is an important aspect of an identification risk assessment. A higher risk feature is one that is found in many places and is publicly available. For instance, patient demographics are a higher risk feature in that such data can be exploited by anyone in receipt of the information, whereas clinical features, such as blood pressure or temporal dependencies, are lower risk features in that they may distinguish a patient in a specific population, but are accessible to a much smaller set of people.

The de-identification standard does not require the expert to follow or assess risk according to a specific method. The qualified expert may apply generally accepted statistical or scientific principles to compute the uniqueness of a data set. Data managers and administrators working with the expert can look to the following principles when considering the identification risk of health information. These principles are considered a starting point for the covered entity’s reasoning and not a definitive list.

Additionally, if an expert determines that the risk of identification is greater than very small, the HHS guidance provides that experts may modify the information to mitigate the identification risk to that level, as required by the de-identification standard. The expert may initiate suppression techniques and eliminate or remove certain features about the data prior to dissemination. The expert could abbreviate or generalize the information, such as generalizing the age of a patient from one-year to five-year age groups. The expert may apply perturbation techniques to maintain the data’s original statistical properties, but replace specific values with equally specific, but different, values. For instance, instead of age 21, identify an age of 20 years +/- 2 years.

Health providers and business associates (as well as their subcontractors) wishing to limit information in their possession subject to HIPAA, thus mitigating the risk of a HIPAA Privacy/Security Rule violation or breach, should review their de-identification procedures in light of the HHS de-identification guidance.

The information contained within this blog posting on this website, is made available by the attorney authoring the posting for educational purposes only, and to give you general information and a general understanding of the law. It is not intended to provide specific legal advice to your individual circumstances or legal questions. By using this blog site you understand that your reading of this blog posting does not establish an attorney-client relationship between you and the authoring attorney or his law firm.  This blog posting should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Readers of this information should not act upon any information contained in this blog posting on this website without seeking professional counsel.