Enter to open, tab to navigate, enter to select
HHS Guidance Addresses Methods for De-identifying HIPAA Protected Health Information
Practical Law Legal Update 4-522-7096 (Approx. 5 pages)
HHS Guidance Addresses Methods for De-identifying HIPAA Protected Health Information
by PLC Employee Benefits & Executive Compensation
| Published on 28 Nov 2012 • USA (National/Federal) |
The Department of Health and Human Services (HHS) released guidance on the two methods for de-identifying protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
On November 26, 2012, HHS released guidance and a related webpage on the two methods for de-identifying protected health information (PHI) under the HIPAA Privacy Rule, the Expert Determination method and the Safe Harbor method. The guidance explains and answers questions about both methods and is intended to assist covered entities, which includes health plans, in understanding:
- What de-identification is.
- The process by which de-identified information is created.
- The options available for performing de-identification.
The guidance also includes a glossary of relevant terms.
For a discussion of the HIPAA Privacy Rule, see Practice Note, HIPAA Privacy Rule.
The De-identification Process
The HIPAA Privacy Rule was designed to protect identifiable health information by permitting only certain uses and disclosures of PHI. However, because health information may be useful in studies, the Privacy Rule permits covered entities or their business associates to create and use information that is not individually identifiable by following one of two de-identification methods: the Expert Determination method or the Safe Harbor method. De-identification involves the removal of identifiers (for example, names or birth dates) from health information.
Once information has been de-identified, it is no longer PHI subject to the Privacy Rule, as health information is not individually identifiable if:
- It does not identify an individual.
- The covered entity has no reasonable basis to believe it can be used to identify an individual.
Information may also be re-identified if a covered entity or its business associate assigns a unique code to a set of de-identified health information to allow the covered entity to re-identify it. Health information that has been re-identified is considered PHI subject to the Privacy Rule.
The Expert Determination Method
The Expert Determination method for de-identification requires that a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable both:
- Applies those principles and methods to determine there is a "very small" risk that the information could be used, either by itself or with other reasonably available information, to identify the subject of the information.
- Documents the methods and results of the analysis justifying that determination.
The guidance addresses questions on this method, including:
- Who is considered an expert. Although no specific degree or certification is required, HHS may review an expert's relevant professional experience and academic or other training in enforcing the Privacy Rule.
- What is a "very small" risk. No explicit numerical level of identification risk would meet this standard in all cases. The guidance notes that an expert must account for multiple factors to assess the risk from a data set, because the risk of identification that has been determined for one particular data set in one environment may not be appropriate for:
- the same data set in a different environment; or
- a different data set in the same environment.
- How long an expert determination is valid for any given data set. Because technology, social conditions and the availability of information change over time, de-identification practitioners often use time-limited certifications, and may reassess the level of risk after a certification has expired.
- How experts may assess the risk of identification of information. HHS does not require experts to use a particular process. However, the Privacy Rule does require that the expert's methods and results of the analysis justifying the determination are documented and made available to HHS on request. The guidance discusses general principles experts may use in determining whether health information is identifiable, and addresses the degree to which a data set may be linked to another data set which reveals the identity of the corresponding individuals.
- How experts may mitigate the risk of identification. Although the Privacy Rule does not require a particular approach to mitigation, the guidance surveys potential approaches, including:
- suppression (the removal or elimination of certain data features before the data is disclosed);
- generalization (changing data into a more generic form, for example, using only three digits of a five-digit zip code); and
- perturbation (replacing specific values with equally specific, but different, values (for example, reporting a person's age using a five-year window that includes the person's actual age)).
The guidance also notes that covered entities are not required to use a data use agreement when sharing de-identified data.
The Safe Harbor Method
Under the Safe Harbor method for de-identification, a covered entity is protected if it does not have actual knowledge that the information could be used alone or in combination with other information to identify the subject of the information and the covered entity removes specific identifiers, including:
- Names, telephone numbers and social security numbers.
- All geographic subdivisions smaller than a state.
- All dates, except years, that are directly related to an individual.
- Any other unique identifying number, characteristic or code, except those that are otherwise permitted by the Privacy Rule.
As with the Expert Determination method, the guidance addresses questions on the Safe Harbor method, including:
- When zip codes can be included in de-identified information. Covered entities may include the first three digits of a zip code under certain circumstances.
- What constitutes any other unique identifying number, characteristic or code. The guidance includes examples of all three, such as clinical trial record numbers and a patient's current occupation.
- What actual knowledge means in the context of the Safe Harbor method. Examples include where a covered entity is aware that a patient's occupation is listed in a record in a way that could identify the patient, or that an anticipated recipient of the information has a family member in the data and the data provides enough context so the recipient could identify the family member.
- Whether a covered entity must suppress all personal names from health information to be de-identified. The guidance clarifies that only names of the individuals associated with the corresponding health information and names of their relatives, employers and household members must be suppressed, not, for example, physician names.
As with the Expert Determination method, covered entities using the Safe Harbor method need not use a data use agreement when sharing de-identified data.
Practical Impact
The Privacy Rule does not restrict how covered entities can disclose information that has been de-identified. As a result, the procedures and standards for de-identifying PHI outlined in this guidance may be of interest to health plans and other covered entities. Regarding the Expert Documentation method, the guidance would seem to offer covered entities a fair amount of latitude in selecting an appropriate expert to render health information de-identified, at least in terms of the types of education and experience that qualify individuals to serve as experts. The guidance also suggests, however, that a covered entity's decision and reasoning for using a particular expert should be defensible in light of the expert's professional experience and, presumably, well-documented.