Here's guidance on how to avoid violating HIPAA when it comes to de-identification of protected health information.
The Office for Civil Rights (OCR) recently issued important guidance regarding the HIPAA concept known as “de-identification.” This guidance applies to covered entities, which include physicians and business associates (a person or entity, other than a member of the covered entity’s workforce), that perform certain services on behalf of the covered entity involving "protected health information" or PHI.
HIPAA’s Privacy Rule helps guard against the use or disclosure of an individual’s identifying health information or PHI by permitting its use in only certain instances, such as for treatment, payment, healthcare operations, or as authorized by the patient.(1) PHI is information, including demographic information, which relates to the individual’s provision of healthcare, their physical or mental medical condition (past, present, or future), and any payment for that care that identifies or can be used to identify the individual. De-identification mitigates privacy risks by removing health data that individually identifies the individual and with respect to which there is no reasonable basis to believe that the information can be used to identify the individual. However, the privacy rule permits a physician or its business associate to create information for secondary use in comparative studies, policy assessments, and life science research that is not individually identifiable by following its de-identification standards.
De-identification occurs either by: (1) meeting the safe harbor in removing 18 identifiers and verifying there is no actual knowledge that the residual information can identify the individual; or (2) an expert has documented its statistical or scientific analysis determining that there is a very smallrisk of an anticipated recipient using such health information with other reasonably available information to identify an individual who is a subject of the information.
I. Safe Harbor-Removal of Identifiers:
The following 18 identifiers of the individual or of relatives, employers, or household members of the individual, are to be removed to comply:
II. Expert Determination
The assessment of whether or not there is a “very small” risk that an anticipated recipient could identify an individual must be determined by an expert who may have a statistical, mathematical, or scientific background. OCR does not require that an expert have a specific professional degree or certification when rendering health information de-identified. However, OCR will evaluate the expert’s determination of acceptable “very small” risk based on his/her education and actual experience using health information de-identification methodologies.
There is also no universal level for the “very small” risk threshold. Risk will be determined on a case-by-case because its assessment is dependent on many factors (such as, replicability, availability of the data source, distinguishability, and social environment). Risk identified for one particular data set in the context of a specific environment may not be appropriate for the same data set in a different environment or a different data set in the same environment. As a result, an expert needs to define an acceptable very small risk based on its assessment of the ability of an anticipated recipient to identify an individual.
Although no single universal solution or process addresses all privacy and identification issues, experts are expected to document the methods and results of their analyses that justify their determination. Such steps may include: (i) the extent to which health information can (or cannot) be identified by the anticipated recipients; (ii) guidance on which statistical or scientific methods can be applied to the health information to mitigate anticipated risk; (iii) the execution of such methods; and (iv) their evaluation of the ability to identify the resulting health information confirming that the risk is no more than very small when disclosed to the anticipated recipients. It is understood that this process may require several iterations.
Additionally, HIPAA does not explicitly require an expiration date be attached to the expert’s determination. In light of the evolution of technology, social conditions and availability of information, however, time-limited certifications may be considered reasonable. Covered entities should have an expert examine whether future releases of the data to the same recipient (e.g., monthly reporting) be subject to additional or different de-identification processes consistent with current conditions to reach the very low risk requirement.
In the next part of this post, I will discuss the examples and principles used in satisfying the safe harbor and methods used by experts to determine information is de-identified.
1 45 CFR §§ 164.501; 164.502
2 See 67 FR 53182, 53233-53234 (Aug. 14, 2002)
The information contained within this blog posting on this website, is made available by the attorney authoring the posting for educational purposes only, and to give you general information and a general understanding of the law. It is not intended to provide specific legal advice to your individual circumstances or legal questions. By using this blog site you understand that your reading of this blog posting does not establish an attorney-client relationship between you and the authoring attorney or his law firm. This blog posting should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Readers of this information should not act upon any information contained in this blog posting on this website without seeking professional counsel.