On November 26, 2012, the Department of Health and Human Services Office for Civil Rights (OCR) released guidance on how covered entities can de-identify protected health information (PHI) under HIPAA. De-identifying PHI is the process of removing data from health records that could link the PHI with individual patients. If a covered entity de-identifies PHI, it can then use or disclose the data without any HIPAA concerns.
The OCR Guidance provides two methods for covered entities to de-identify PHI: the expert determination method and the safe harbor method.
The first method of de-identification offered by the OCR requires the covered entity to hire an expert to de-identify the PHI. The OCR does not specifically identify who the OCR will consider an expert, only that the person must have “appropriate knowledge of and expertise with generally accepted statistical principles and methods for rendering information not individually identifiable….”
Experts must determine that the risk of de-identified PHI being re-identified is “very small,” and they must be able to provide documentation and methodologies with regard to how they reached their determinations.
Safe Harbor Method
Covered entities that do not wish to hire an expert can follow the safe harbor method to de-identify PHI. Under this method, the covered entity must remove certain identifying information from PHI, which OCR identifies in its guidance. Examples include dates and geographic subdivisions smaller than a state, such as zip codes and counties.
The key to falling within the safe harbor is that the covered entities must have no actual knowledge that the remaining data could be used to identify individuals after the de-identification process. A covered entity would not meet this standard if it knew that PHI contained a unique identifying characteristic, such as a high-profile occupation.
The ORC acknowledges in its guidance that neither method of de-identification eviscerates the risk that someone could trace the de-identified data could back to an individual, but the ORC believes the risk is “very small.” And if the covered entity follows the steps in the OCR’s guidance, it will not be liable under the HIPAA Privacy Rule if someone later finds a way to improperly use the de-identified data.
The OCR Guidance can be found in full here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.htmlBack to news