Guidance from the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) provides clarity on the available methods of de-identification of protected health information (PHI) as well as the federal government’s scrutiny of such procedures.
The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established two methods of de-identification: (1) Expert Determination Method and (2) Safe Harbor Method. 45 C.F.R. § 164.514(a). These de-identification methods are applied to PHI to enable the use of health information for non-treatment purposes (e.g., research and policy development), while protecting the individual’s right to privacy by removing identifiers from the PHI prior to utilizing the data for secondary purposes.
Applying the expert determination method, a covered entity may determine that health information is not identifiable if a qualified expert, applying generally acceptable statistical and scientific principles and methods for rendering information not individually identifiable, (i) “determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) documents the methods and results of the analysis that justify such determination.” 45 C.F.R. § 164.514(b).
The HHS guidance sets forth factors that the agency will apply when scrutinizing expert qualifications for the purpose of expert de-identification. These factors will be helpful to health care providers, health plans and business associates in assessing the qualifications of an expert and understanding the de-identification process and risk assessment.
The HHS guidance also details three primary principles that should guide expert risk assessment. The first principle, replicability, involves the prioritization of “health information features into levels of risk according to the chance it will consistently occur in relation to the individual.” For example, low risk replicability would occur when the “results of a patient’s blood glucose level test will vary”; whereas, high risk replicability would exists when the “[d]emographics of a patient (e.g., birth date) are relatively stable.” Id. Second, the principle of data source availability examines “which external data sources contain the patients’ identifiers and the replicable features in health information, as well as who is permitted access to the data source.” Id. In it Guidance, HHS indicates that lab reports with identifying information that are often limited to healthcare environments are low risk, while patient name and demographic information often in public sources (e.g., vital records) are high risk. Third, the principle of distinguishability requires a determination of “the extent to which the subject’s data can be distinguished in the health information.” Id.
Finally, the HHS guidance addresses the Safe Harbor Method, pursuant to which a covered entity can de-identify PHI by adhering to a de-identification framework that mandates removal of at least 18 identifiers from the health information and requires that the covered entity. In addition, the Safe Harbor requires that the covered entity have no actual knowledge of potential for an individual to be identified by the de-identified information alone or in combination with other information. 45 C.F.R. § 164.514(b). The HHS guidance offers clarification on several of these factors, enabling the covered entity to better navigate the de-identification process. In addition, the guidance provides examples of what constitutes “actual knowledge.” Finally, the guidance explains that once data is de-identified in accordance with the Safe Harbor, covered entities are not required to enter into data use agreements when sharing the information with third-parties.
Pierce & Mandell’s health care lawyers can assist in all phases of HIPAA compliance for medical and dental professionals. Contact us.