OCR Releases Ebola Bulletin

This post was written by Jennifer Pike.

The recent Ebola outbreak has prompted the US Department of Health and Human Services, Office for Civil Rights (“OCR”), the agency responsible for enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), to release a new bulletin for covered entities and business associates regarding their privacy obligations in emergency situations. The bulletin, entitled “HIPAA Privacy In Emergency Situations,” provides an overview of the limited ways in which covered entities and business associates may use and disclose protected health information in emergencies, such as the Ebola outbreak. The bulletin is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.

OCR Releases HIPAA Guide for Law Enforcement

This post was authored by Brad Rostolsky and Jennifer Pike.

On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following:

  • Describes the Privacy Rule and identifies which entities are required to comply
  • Outlines several examples of when disclosures of health information to law enforcement is allowed

The guide is available online.

OCR Announces Enforcement Delay for CLIA Labs

This post was authored by Brad Rostolsky and Jennifer Pike.

The Office for Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced September 19, 2013 that, until further notice, it is delaying enforcement of the requirement that certain HIPAA-covered labs revise their notice of privacy practices (NPPs) to comply with modifications made by the HITECH Final Rule. The enforcement delay applies to HIPAA-covered labs that are subject to Clinical Laboratory Improvement Act (CLIA), or exempt from CLIA, and that are not required to provide an individual with access to his or her lab test reports, because the reports are subject to the exceptions to the right of access at 45 C.F.R. § 164.524. The delay does not apply to labs that operate as part of a larger legal entity, and by virtue of that relationship do not have their own NPP.

By way of background, under the Privacy Rule, covered entities must promptly revise their NPPs whenever there is a material change to the privacy practices described in the NPP. The HITECH Final Rule made a number of such material changes, necessitating that covered entities revise their NPPs.

The enforcement delay is a result of HHS’ plan to amend the HIPAA Privacy Rule and CLIA regulations regarding the rights of individuals to receive their test reports directly from CLIA and CLIA-exempt labs. If finalized as proposed, the amendment would result in a material change to the labs’ privacy practices. The purpose of the delay is to decrease the burden on and expense to HIPAA-covered labs of having to revise their NPPs twice within a short period of time.
For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

HHS Releases Prescription Refill Reminder Guidance

This post was written by Brad M. Rostolsky, Jennifer L. Pike and Nancy E. Bonifant

The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.

Under the currently enforced Privacy Rule, covered entities must obtain an individual’s valid authorization prior to using and disclosing the individual’s protected health information for “marketing” purposes – which includes communications about a product or service that encourages the recipients of the communication to purchase or use the product or service. This requirement, however, includes a significant exception for communications that also meet the definition of “treatment” or “health care operations” communications, including prescription refill reminders, even where a third party subsidizes the covered entity’s communication.

Under the Privacy Rule, determining whether a communication falls within the refill reminder exception depends on (1) whether the communication is about a currently prescribed drug or biologic, and (2) whether the communication involves financial remuneration and, if it does, whether the financial remuneration is reasonably related to the covered entity’s cost of making the communication. HHS now provides guidance on each of these aspects of the refill reminder exception.

Among other points, HHS makes the following notable determinations:

  • Communications about specific formulations of a currently prescribed medicine do not fall within the refill reminder exception
     
  • When remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications - which exceed the fair market value of the business associate’s services - the communication does not fall within the refill reminder exception

The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS’ decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule’s restrictions on remunerated prescription refill reminders.

Reed Smith’s HIPAA practice is in the process of conducting a full review of the guidance and will release additional analysis shortly.
 

HITECH FINAL RULE DELAYED ENFORCEMENT: PRESCRIPTION REFILL REMINDERS

HHS to Release Guidance on “Reasonable” Financial Remuneration by September 23, 2013; Enforcement to Be Delayed Until November 7, 2013

This post was written by Brad M. Rostolsky, Nancy E. Bonifant and Jennifer L. Pike

On September 5, 2013, Adheris, Inc. (“Adheris”), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services (“Secretary”), and the Department of Health & Human Services (“HHS”), challenging the constitutionality of the HITECH Final Rule’s restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary’s enforcement of these restrictions, which was set to begin on September 23, 2013.

In a joint motion filed by the parties today seeking to suspend the court’s schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule’s “reasonable in amount” restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.

Under the currently enforced Privacy Rule, covered entities must obtain an individual’s valid authorization prior to using and disclosing the individual’s protected health information for “marketing” purposes – which includes communications about a product or service that encourages the recipients of the communication to purchase or use the product or service. This requirement, however, included a significant exception for communications that also met the definition of “treatment” or “health care operations” communications, including prescription refill reminders, even where a third party subsidized the covered entity’s communication.

In a marked departure from the currently enforced Privacy Rule (and the July 2010 HITECH Proposed Rule), the Final Rule generally requires authorizations for all third-party subsidized health care operations and treatment communications, with a limited exception applicable to prescription refill reminders. With respect to prescription refill reminders, a covered entity may still receive some financial remuneration from third parties for making these communications, but this remuneration must be “reasonably related to the covered entity’s cost of making the communication.” In preamble language to the Final Rule, HHS made clear that permissible costs include only the costs of labor, supplies, and postage – where a covered entity generates a profit or receives payment for other costs in exchange for making a prescription refill reminder, the exception would not apply and the covered entity would need to obtain individual authorization.

Ultimately, what remains unknown is whether HHS will explicitly permit covered entities, and their business associates, to make a profit in connection with communicating prescription refill reminders, or if HHS will merely reaffirm its previously stated position in the preamble to the HITECH Final Rule.

For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

OCR Announces Expansion of its Health Information Privacy Enforcement Team

This post was written by Brad M. Rostolsky and Jennifer Pike.

On February 27, 2013, the HHS Office for Civil Rights (“OCR”) announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR’s health information privacy enforcement team signals that OCR’s increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH’s Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September. OCR’s 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency’s focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.

More information on these positions is available at usajobs.gov

Additional information about OCR’s enforcement activities can be found at hhs.gov

The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived

This post was written by Brad M. Rostolsky, Nancy E. Bonifant, Salvatore G. Rotella, Jr., Elizabeth D. O’Brien, Jennifer Pike and Zachary A. Portin.

On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Noteworthy provisions of the HITECH Final Rule include:

  • Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
  • Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
  • Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
  • Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

Please click here to read our detailed analysis of the HITECH Final Rule. As always, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy E. Bonifant (202-414-9353 or nbonifant@reedsmith.com), Salvatore G. Rotella, Jr. (215-851-8123 or srotella@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.

 

It's Here: OCR Releases Long Awaited HIPAA/HITECH Final Rule

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The Office for Civil Rights (“OCR”) of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules.  The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the “HITECH Final Rule”).  Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.

Noteworthy provisions of the HITECH Final Rule include:

  • Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
  • Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
  • Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
  • Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

We are in the process of conducting a full review of the HITECH Final Rule and will release shortly a Client Alert providing a detailed analysis of the Rule.  In the meantime, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy E. Bonifant (202-414-9353 or nbonifant@reedsmith.com), Salvatore G. Rotella, Jr. (215-851-8123 or srotella@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.

OCR Continues Increased Focus on Enforcement, Announces First HIPAA Breach Settlement Involving Less than 500 Individuals

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On January 2, 2013, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan following a breach affecting fewer than 500 individuals. The Hospice of North Idaho (“HONI”) has agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule following the theft of an unencrypted laptop containing electronic Protected Health Information (“ePHI”) for 441 patients. Significantly, this is the third settlement in six months involving unencrypted portable devices.

In addition to the requirement to report breaches affecting more than 500 patients “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach,” which are publicized on OCR’s website, Covered Entities must also maintain a log of all breaches affecting less than 500 patients and submit this information to OCR within 60 calendar days after the end of each calendar year. On February 16, 2011, HONI reported the theft to OCR, which commenced an OCR investigation on July 22, 2011. According to OCR, its investigation revealed that HONI had failed to conduct a risk analysis to safeguard ePHI and did not have in place policies and procedures to address mobile device security as required by the HIPAA Security Rule.

Following the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September, this settlement reinforces the practical necessity of encryption, which Leon Rodriguez, Director of OCR, describes as “an easy method for making lost information unusable, unreadable and undecipherable.” Easy or not, as providers face a health care environment that increasingly relies upon portable devices, encryption remains the primary answer to security risks. Furthermore, it remains the best first defense against the expensive and reputation damaging reality of notifying patients and OCR that a breach has occurred.

Beyond emphasizing the importance of encryption, OCR’s recent enforcement trends also make it clear that Covered Entities (and given the import of the forthcoming final HITECH regulation, Business Associates) should consider the Security Rule risk analysis to be the central component to Security Rule compliance. Although a risk analysis may require Covered Entities and Business Associates to spend significant resources, OCR plainly views it to be critical.

In addition to the $50,000 settlement, the Resolution Agreement between HONI and OCR included a corrective action plan, which requires HONI to investigate any report that a workforce member may have failed to comply with HONI’s Privacy and Security policies and procedures and report actual violations to OCR within 30 days. HONI did not admit any liability in the agreement and OCR did not concede that HONI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found here.

Preparing for the HITECH Final Rule Release: HURRY UP AND WAIT!

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

It has been almost two and half years since the Department of Health and Human Services, Office for Civil Rights (“OCR”), published a notice of proposed rulemaking to implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and amend the HIPAA Privacy and Security Rules, and almost nine months since the final rule was submitted to the Office of Management and Budget (“OMB”) for final regulatory clearance. While industry speculation, fueled by comments made by Leon Rodriguez, the Director of OCR, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, suggested that an omnibus final rule would be released by the end of summer, OMB had different ideas.

Now, as we approach HITECH’s four year anniversary in February, the industry is again speculating that release of the final rule will be before year end. As the regulation’s title makes clear, “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules,” it is expected that this rule will address the July 2010 proposed rule, as well as the interim final rules (regarding both breach notification and enforcement) and, hopefully, the May 2011 proposed accounting and access report rule. Therefore, regardless of the ultimate release date, it remains important for Covered Entities and Business Associates to prepare for the forthcoming changes.

The following is a brief review of some key considerations in anticipation of the publication of the final HITECH omnibus rule.

Business Associates: Direct Enforcement and Expansion

  • What was proposed? Though the specifics remain the purview of the final rule, Business Associates will generally be required to comply directly with the Privacy, Security, and Breach Notification Rules as required by HITECH. The proposed rule also included a significantly expanded definition of “Business Associate,” which would convert the subcontractors of Business Associates into actual Business Associates themselves.
  • Why is this important? In addition to the continuing obligation that Business Associates (and now, potentially, their subcontractors) enter into Business Associate Agreements, they will be directly regulated under the Privacy, Security, Breach Notification, and Enforcement Rules. This will require, for example, that Business Associates and their subcontractors comply with the Security Rule’s administrative, physical, and technical safeguards requirements, as well as the Rule’s policies and procedures and documentation requirements. Additionally, Business Associates and their subcontractors would incur statutory liability for noncompliance. Such a change in the framework of HIPAA’s application, in addition to OCR’s more focused approach to enforcement, will have the potential to require Business Associates to spend considerable time and resources on compliance considerations.
  • What should you be doing now? Covered Entities should identify their current Business Associates and consider what additional subcontractors will now require Business Associate Agreements (for example, patient safety organizations and vendors of personal health records who routinely access PHI). Covered Entities and Business Associates should examine the extent to which their existing relationships with providers and payors, for example, may not properly characterize them as a Business Associate. Business Associates should take stock of their current subcontractors who handle PHI and engage in discussions regarding compliance with the Privacy and Security Rules. Business Associates should also begin assessing their technological capabilities and, at a minimum, begin the process of developing policies and procedures to ensure compliance. Importantly, the proposed rule provides that OCR will not begin enforcing the modified Privacy and Security Rule requirements set forth in the final rule until 180 days after the effective date of the final rule.

Breach Notification Rule: Will OCR say goodbye to the “risk of harm” threshold?

  • What was proposed? At this stage, we have been living the Breach Notification Rule for more than three years. Although no specific changes have been proposed, HHS has made it clear that a final omnibus HITECH rule will include changes to the current interim final regulation.
  • Why is this important? Since the inception of the interim final Breach Notification Rule, there has been speculation that a “final” final regulation may remove the ability of Covered Entities and Business Associates to self-determine whether an “incident” rises to the level of a Breach or is merely impermissible disclosure under the Privacy Rule. Shortly after the release of the interim final Breach Notification Rule, Senator Waxman sent a pointed letter to HHS/OCR indicating his belief that HITECH did not give OCR the authority to include the “risk of harm” analysis in the determination of whether a Breach occurred. Add to that the fact that many state law equivalents of the Breach Notification Rule do not allow the potential risk of harm resulting from a particular incident to impact whether an affected individual must receive notification about the incident, and we are left with an overriding industry concern that all impermissible disclosure under the Privacy Rule (harm or not) may soon become more expensive and logistically challenging to address.
  • What should you be doing now? Regardless of what a “final” final Breach Notification Rule looks like, it seems unlikely that OCR will remove the “encryption safe harbor.” With this in mind, and to the extent not already underway, Covered Entities and Business Associates should strongly consider encrypting PHI (especially in the context of portable devices).

Creation of a New Individual Right: Access Reports

  • What was proposed? In the May 2011 proposed rule, OCR proposed to give individuals the right to know who, during the prior three year period, has accessed their PHI stored in an electronic designated records set maintained by the Covered Entity. Significantly departing from the type of activity covered by the Privacy Rule’s current accounting provisions, this “access report” must include a listing of access by employees of the Covered Entity and access for treatment, payment, and health care operations.
  • Why is this important? The right to receive an “access report” would be a new right under the Privacy Rule. Currently, individuals have a right to access and amend their PHI, as well as to receive an accounting of certain disclosures. While the proposed rule would limit an individual’s right to an access report to only PHI maintained in an electronic designated record set (and for only three years prior to the date of the request), individuals would now have the right to receive a report identifying who has accessed their PHI for treatment, payment, and health care operations.
  • What should you do now? Covered Entities and Business Associates should be engaging their electronic medical records vendors in an open dialogue regarding the capabilities and limitations of their current software programs. Additionally, both types of entities should ensure that they appropriately budget for the potentially significant cost of compliance with a final Access Report Rule.

Marketing and the Sale of Protected Health Information

  • What was proposed? The proposed rule modified the current definition of “marketing” and narrowed the existing exceptions under the Privacy Rule. In particular, the proposed rule distinguished treatment and health care operations communications, and clarified the role “financial remuneration” would play in rendering marketing communications as part of health care operations. Additionally, OCR removed from the current definition of marketing situations where a Covered Entity discloses PHI to another entity in exchange for remunerations. Instead, OCR characterized this as the “sale of PHI,” which would be specifically prohibited without an Authorization.
  • Why is this important? According to OCR, the Privacy Rule’s definition of marketing has not sufficiently addressed concerns about the ability of “a third party to pay a Covered Entity [] for the Covered Entity to send health-related communications to an individual about the third party’s products or services.” OCR is signaling a stricter approach to marketing communications, which would affect certain remunerated communications previously considered to be permissible in furtherance of “health care operations.” It also remains unclear whether existing Authorizations (that do not, as would be required under the proposed rule, specifically describe certain payments made for communications) will be deemed compliant after release of the final rule and, if not, what the timeline for compliance will be.
  • What should you be doing now? Covered Entities should identify and analyze situations where they communicate with individuals and receive financial remuneration, either directly or indirectly, from a third party for doing so. Additionally, Covered Entities should scrutinize any situation where the receive financial remuneration in return for a third party communicating with an individual. It is these situations that are likely to be targeted by OCR and may no longer be permissible, without valid Authorizations, pursuant to a final regulation.

Fundraising

  • What was proposed? OCR proposed to require Covered Entities to provide, with each fundraising communication, a clear and conspicuous opportunity for the individual to opt-out of future fundraising communications. Additionally, this opt-out may not cause the individual to incur an undue burden or more than nominal cost. The proposed rule also prohibits Covered Entities from conditioning treatment or payment on an individual’s decision to opt-out of future fundraising communications.
  • Why is this important? For the most part, the proposed fundraising provisions track HITECH’s statutory language, and will most likely be finalized in their current form. HITECH strengthened an individual’s right under the Privacy Rule to opt-out of fundraising communications by requiring OCR to modify the Privacy Rule so that Covered Entities must treat an opt-out as a revocation of an Authorization. OCR interpreted “shall be treated as a revocation of authorization” as prohibiting the conditioning of treatment or payment on an individual’s decision to allow fundraising communications.
  • What should you be doing now? Covered Entities should consider their current fundraising endeavors and the extent to which such endeavors rely upon the use or disclosure of PHI. It may be prudent to brainstorm cost-effective methods for an individual to opt-out of fundraising communication, such as utilizing existing toll-free numbers and e-mail.

Although the delay in the release of the highly anticipated HITECH final rule has certainly caused Covered Entities and Business Associates to patiently live in a state of flux, it has been clear since 2009 that the final regulation will significantly change portions of Privacy, Security, Breach, and Enforcement Rules. While the specifics remain unclear, the HITECH statutory requirements, including the above discussed considerations, provide a good starting point for meaningful continued preparation.

If you have any questions or would like additional information on the material covered in this alert, please contact Brad Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy Bonifant (202-414-9353 or nbonifant@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work.

OCR Releases Overdue Guidance on De-identifying Protected Health Information

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The Office of Civil Rights (OCR) released guidance on Monday, November 26, 2012, regarding methods to de-identify protected health information in compliance with the HIPAA Privacy Rule.  This guidance, which followed a June 2012 Government Accountability Office Report criticizing the delayed publication of this and related guidance, is aimed to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.

Because the HIPAA Privacy Rule does not restrict the use or disclosure of de-identified health information, the process of de-identification allows researchers and policy workers to have access to critical health information while mitigating privacy risks to the individual.  To mitigate privacy risks, the HIPAA Privacy Rule outlines two de-identification methods that ensure the health information does not identify an individual and that an associated covered entity has no reasonable basis to believe the information can be used to identify an individual: (1) The Expert Determination and (2) The Safe Harbor. 

The Expert Determination method requires the services of an expert in statistical and scientific principles and methods to determine that the risk of re-identification is “very small” and document that determination.  This method involves a three-step process of (i) working with the covered entity to determine appropriate statistical or scientific methods of mitigate risk of identification, (ii) applying those methods to mitigate risk, and (iii) assessing the risk.  The guidance also addresses the expert’s qualifications, methods for de-identifying information, and approaches to assessing risk.

The Safe Harbor method involves removing 18 categories of identifiers of the individual or of the individual’s relatives, employers, and household members.  These identifiers include, for example, names, dates (other than year), geographic subdivisions smaller than a State (as well as ZIP codes depending on the population of a particular area), social security number, health plan and account numbers, IP addresses, and “any other unique identifying number, characteristic, or code.”  A covered entity must also not have “actual knowledge” that the remaining information could be used to re-identify the individual.  In addition to considering specific identifiers and providing examples, the guidance explains this “actual knowledge” standard as “clear and direct knowledge” that the information could be re-identified or awareness that the information is not actually de-identified.

While this subregulatory guidance does not have the force of law, it is important to remember that Section 13424(c) of the HITECH Act mandated the guidance’s release.  Therefore, covered entities, and business associate who de-identify protected health information on behalf of covered entities, are advised to consider the guidance carefully and amend their processes to align its requirements.

A copy of the guidance can be found here.