This post was written by Brad M. Rostolsky and Nancy E. Bonifant.
The Office of Civil Rights (OCR) released guidance on Monday, November 26, 2012, regarding methods to de-identify protected health information in compliance with the HIPAA Privacy Rule. This guidance, which followed a June 2012 Government Accountability Office Report criticizing the delayed publication of this and related guidance, is aimed to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.
Because the HIPAA Privacy Rule does not restrict the use or disclosure of de-identified health information, the process of de-identification allows researchers and policy workers to have access to critical health information while mitigating privacy risks to the individual. To mitigate privacy risks, the HIPAA Privacy Rule outlines two de-identification methods that ensure the health information does not identify an individual and that an associated covered entity has no reasonable basis to believe the information can be used to identify an individual: (1) The Expert Determination and (2) The Safe Harbor.
The Expert Determination method requires the services of an expert in statistical and scientific principles and methods to determine that the risk of re-identification is “very small” and document that determination. This method involves a three-step process of (i) working with the covered entity to determine appropriate statistical or scientific methods of mitigate risk of identification, (ii) applying those methods to mitigate risk, and (iii) assessing the risk. The guidance also addresses the expert’s qualifications, methods for de-identifying information, and approaches to assessing risk.
The Safe Harbor method involves removing 18 categories of identifiers of the individual or of the individual’s relatives, employers, and household members. These identifiers include, for example, names, dates (other than year), geographic subdivisions smaller than a State (as well as ZIP codes depending on the population of a particular area), social security number, health plan and account numbers, IP addresses, and “any other unique identifying number, characteristic, or code.” A covered entity must also not have “actual knowledge” that the remaining information could be used to re-identify the individual. In addition to considering specific identifiers and providing examples, the guidance explains this “actual knowledge” standard as “clear and direct knowledge” that the information could be re-identified or awareness that the information is not actually de-identified.
While this subregulatory guidance does not have the force of law, it is important to remember that Section 13424(c) of the HITECH Act mandated the guidance’s release. Therefore, covered entities, and business associate who de-identify protected health information on behalf of covered entities, are advised to consider the guidance carefully and amend their processes to align its requirements.
A copy of the guidance can be found here.