The Department of Health and Human Services Office for Civil Rights (“OCR”) recently released guidance on de-identification of protected health information pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The guidance discusses in detail the two methods that satisfy the de-identification standard of the Privacy Rule—the Expert Determination and Safe Harbor methods. While these methods are not new, the guidance provides a clearer picture of OCR’s expectations.
HIPAA prohibits the dissemination of individually identifiable health information, also known as protected health information (“PHI”). The de-identification standard, set forth in Section § 164.514(a) of the Privacy Rule, states “Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
The Safe Harbor method, found in Section 164.514(b)(2) of the HIPAA Privacy Rule, requires removal of 18 specific identifiers such as name, social security number, address, admission and discharge dates, zip code, vehicle identifiers (license plate numbers and serial numbers), web and IP addresses, and device identifiers and serial numbers, among others. Additionally, the Safe Harbor mandates removal of geographic units smaller than a State, except that the first three digits of a zip code may remain if the geographic unit formed by combining all zip codes with the same initial three digits is populated by more than 20,000 individuals. In this regard, the guidance provides that covered entities are expected to rely upon “the most current publicly available Bureau of Census data regarding zip codes.” Further, the guidance makes clear that just eliminating parts of identifiers is not acceptable. For example, to comply with the Safe Harbor a data set may not contain patient initials or the last four digits of a Social Security number. The guidance also provides examples of dates that are not permitted, clarification on what constitutes a unique identifying number, characteristic, or code, a definition and examples of “actual knowledge dates, data use agreements, and PHI in free text fields.
The Expert Determination method can be used to satisfy the de-identification standard without removing all the identifiers required to comply with the Safe Harbor method. The Expert Determination method, set forth in Section 164.514(b)(1) of the HIPAA Privacy Rule, involves application of statistical or scientific principles by a qualified expert to insure a very small risk the anticipated recipient could identify the individual. OCR explains that the Expert Determination method cannot be universally designed and applied. It requires a case-by-case analysis by an expert to determine, based on the data set and the recipient, among other things, that there is a very small risk the recipient can identify the individual. While the guidance on the Expert Determination method is fairly lengthy, it leaves both discretion and uncertainty for covered entities to determine a number of things, including the qualifications of an expert and what is a “very small” risk.
This new guidance paints a valuable picture of OCR’s interpretation and expectations for entities’ application of the Expert Determination and Safe Harbor de-identification methods. Covered entities should carefully review the guidance and modify their policies and practices accordingly.