HHS Issues New Guidance On De-Identifying Protected Health Information
By Jacqueline Klosek1 and Anna Hsia2, Goodwin Procter LLP, New York, NY
The Office for Civil Rights (“OCR”) of the United States Department of Health and Human Services recently issued a report entitled, “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (the “De-identification Guide”).3 The De-identification Guide provides important insight into how OCR would enforce statutes relating to the de-identification of health information and is thus very useful information for all entities that wish to make use of de-identified health information for research, marketing, business development or other purposes.
HIPAA’s Privacy Rule generally prohibits disclosure of protected health information (“PHI”). Certain health information presents ripe opportunities for medical advancement and research and other uses that are unrelated to the care of the individual. Balancing the benefits of this research against the need for privacy, Section 164.502(d) of the Privacy Rule enables covered entities to de-identify information for disclosure. The Privacy Rule provides for two de-identification methods: (1) the Expert Determination Method and (2) the Safe Harbor Method. Because de-identified information is no longer considered PHI, the Privacy Rule does not prevent the disclosure of such de-identified information. In its recently issued De-identification Guide, OCR provides the following guidance on each of these two methods:
The Expert Determination Method: Section 164.514(b)(1)
- Under the Expert Determination Method, a “person with appropriate knowledge of an experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” will apply these principles and methods to determine that the risk of identification by an anticipated recipient is no more than “very small.”4 The expert must also document the methods and results of his/her analysis that justify the de-identification determination. The De-identification Guide contains important clarifications that are useful for Covered entities and their business associates5 considering the use of the Expert Determination Method: Definition of “Expert”: An individual need not have a specific academic background or experience to qualify as an “expert” under this Section. However, should OCR commence an enforcement proceeding, OCR will review the expert’s education, experience, and actual experience in de-identification.6 Covered entities should thus appoint experts with appropriate knowledge and experience.
- Definition of “Very Small”: Properly de-identified information carries no more than a “very small” risk of identification by anticipated recipients. OCR does not numerically define “very small.” But because the degree of risk highly depends on the identity of anticipated recipients, OCR cautions covered entities to utilize experts who can adequately identify all anticipated recipients to assess the identification risk.7
- Expiration Date for De-identification Designation: The Privacy Rule does not mandate that expiration dates be attached to de-identified information.8 But covered entities should monitor previously de-identified information in light of changes in technology and information availability. Covered entities should also retain thorough records of these periodic reviews.
- Methodology: Although the Privacy Rule does not mandate any specific methodology, OCR requires that experts apply “generally accepted statistical and scientific principles.”9 OCR anticipates a process whereby (1) an expert evaluates the extent to which health information can be identified by anticipated recipients; (2) the expert suggests risk mitigation methods; (3) mitigation techniques are applied on that data set; and (4) the expert evaluates the new data set to confirm that the risk of identification is no more than “very small.”10
- Evaluating the Risk of Identification: As part of the risk evaluation, an expert should consider principles set forth in the De-identification Guide. These principles include (1) replicability, or the degree to which health information remains consistently the same in an individual; (2) data source availability, or the extent to which data from health information can be found in external data sources; and (3) distinguishability, or the extent to which data can be distinguished in the health information.11
- Risk Mitigation: The Privacy Rule does not mandate any specific method for risk mitigation. In the De-identification Guide, OCR suggests possible means of risk mitigation. These include (1) suppressing certain features of the data; (2) generalizing specific data into more abstract data; and (3) replacing specific values with equally specific, but different values.12 An expert may plausibly design multiple solutions for a single data set but should confirm that those solutions could not be combined for identification purposes.
- Data Use Agreements: The De-identification Guide also suggests that experts may recommend using data use agreements to reduce risk.13 The Privacy Rule currently allows disclosure of a limited data set for certain purposes.14 Disclosure of this type of PHI must be pursuant to a data use agreement which restricts use of the data by the recipient and thereby mitigates risk of identification.15
- Re-identification: Covered entities may assign codes to de-identified records to enable re-identification by authorized persons. These codes may be disclosed, provided an expert determines that the codes themselves meet the Privacy Rule’s de-identification requirements.16 Covered entities should mitigate against the risk of identification where data has been altered to allow for re-identification.
The Safe Harbor Method: Section 164.514(b)(2)
Under the Safe Harbor Method, a covered entity may comply with the Privacy Rule if the covered entity (1) removes the enumerated “identifiers of the individual or of relatives, employers, or household members of the individual,” as set forth in Section 164.514(b)(2)(i); and (2) does not have “actual knowledge” that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.17 Although OCR intends for the Safe Harbor Method to be easy to follow, covered entities should be aware of the clarifications set forth in the De-identification Guide, including:
- Zip Codes: Covered entities may include the first three digits of a zip code if the “current publicly available data from the Bureau of the Census” shows that (1) the geographic unit formed by combining all zip codes with the same three initial digits includes more than 20,000 individuals; or (2) the initial three digits of a zip code for all such geographic units including 20,000 or fewer individuals is changed to 000. But covered entities must be careful to use the most current Census data.18 Use of outdated data may expose a covered entity to an investigation or enforcement proceeding.
- Disclosure of Parts of Enumerated Identifiers: The De-identification Guide clarifies that “parts or derivatives” of any of the enumerated identifiers may not be disclosed consistent with the Safe Harbor Method.19 Thus, because patient names must be withheld, patient initials must also be withheld from disclosure.
- Disclosure of Dates: Covered entities may not disclose the day, month or any other information that is more specific than the year of an event.20 Covered entities should also ensure that specific dates cannot be extrapolated by combining information in a data set.
- “Any Other Unique Identifying Number, Characteristic, or Code”: The Privacy Rule prohibits disclosure of any unique features that are not explicitly enumerated in the Safe Harbor list but could be used to identify a particular individual. The De-identification Guide’s examples include clinical trial record numbers, barcodes, and unique occupations.21
- Definition of “Actual Knowledge”: Actual knowledge means “clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is a subject of the information.”22 Examples include disclosing an individual’s revealing and unique occupation, or disclosing a rare and publicized clinical event.
- Disclosure of Names of Healthcare Personnel: The De-identification Guide clarified that only the names of the individuals associated with the corresponding health information, and of their relatives, employers, and household members, need to be suppressed to comply with the Safe Harbor Method. Healthcare personnel may be identified, but covered entities should ensure that identification would not give rise to a violation under the “actual knowledge” standard.23
- Disclosure of Information in Free Text Fields: Health data commonly includes “free text fields” where healthcare personnel may insert protected information about a particular individual. The Safe Harbor Method requires removal of this information where the covered entity has “actual knowledge” that the information could be used for identification purposes.24 Covered entities should avoid being deliberately ignorant however, as the De-identification Guide provides examples of information that may appear in a free text field and would require removal.
- Data Use Agreements: While not required to satisfy the Safe Harbor Method, nothing prevents a covered entity from entering into a data use agreement to further safeguard the information and depending on the circumstances, in certain contexts, covered entities may find it prudent to do so.
As the healthcare industry continues to find new ways to leverage healthcare information, the De-Identification Guide is helpful information for covered entities and business associates that desire to make use of health related information without running afoul of HIPAA’s Privacy Rule. With the Expert Determination and Safe Harbor methods, HIPAA covered entities and business associates have two clear options for ensuring that PHI is effectively de-identified. No matter what method is employed, covered entities and their business associates should ensure that copious records are maintained of the de-identification process should OCR commence an investigation or enforcement proceeding.
Jacqueline Klosek is Senior Counsel with Goodwin Procter LLP, where she is a member of the firm’s Privacy and Data Security Task Force. She is the author of several books, including Protecting Your Health Privacy (Praeger, 2012). She may be reached at: firstname.lastname@example.org
Anna Hsia is an Associate with Goodwin Procter LLP. She may be reached at: email@example.com
Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
“Covered entities” are entities that must comply with HIPAA’s Privacy Rule. Broadly speaking, covered entities include individual and group health plans, healthcare providers who electronically transmit health information, and healthcare clearinghouses. Business associates are persons or organizations that perform certain functions or activities on behalf of, or provide certain services to, a covered entity that involve the use or disclosure of PHI. Where covered entities enlist a business associate, the Privacy Rule requires the covered entity to contractually bind the business associate to protect PHI. Thus, individuals and entities performing “business associate” activities should also be aware of HIPAA Privacy Rule protections.
See De-identification Guide at 10.
See id. at 10-11.
Id. at 11.
|9||Id. at 16.|
Id. at 13.
|11||De-identification Guide at 13-15.|
See generally id. at 18-21.
See id. at 11, 21.
|14||See 45 C.F.R. § 164.514(e).|
|16||See De-identification Guide at 21-22.|
|17||Id. at 23.|
|18||Id. at 25.|
|19||Id. at 25.|
|20||Id. at 25.|
|21||De-identification Guide at 26.|
|22||Id. at 27.|
|23||Seeid. at 28-29.|
|24||Id. at 29.|
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.