HHS Publishes Guidance on How to De-Identify Protected Health Information
On November 26, 2012, the Department of Health and Human Services’ Office of Civil Rights (“OCR”) published guidance on the two methods for de-identifying protected health information (“PHI”) in accordance with the HIPAA Privacy Rule. The guidance, which was required by the Health Information Technology for Clinical and Economic Health (“HITECH”) Act, has been developed over several years by OCR in collaboration with healthcare entities and other industry experts and builds upon the discussions from a workshop on de-identification that took place in March 2010.
The guidance covers three main topics: (1) key terms in the HIPAA Privacy Rule, (2) the statistical expert method for de-identifying PHI, and (3) the safe harbor method for de-identifying PHI.
The guidance notes that there are two methods for de-identifying PHI in accordance with the HIPAA Privacy Rule: (1) engaging a statistical expert to determine that the risk is “very small” that a given data set could identify an individual, or (2) removing each of 18 specific data elements, including an individual’s name and all elements of dates directly related to an individual, from the data set.
In discussing the use of a statistical expert to de-identify PHI, the guidance starts out by noting that “[t]here is no explicit numerical level of identification risk” that will satisfy the requirement that the risk of identifying an individual be “very small.” The guidance further clarifies that a de-identification determination does not have an expiration date and may need to be reexamined as “technology, social conditions, and the availability of information changes over time.” Finally, the guidance briefly discusses the principles used in statistical de-identification: replicability, data source availability, distinguishability and the ultimate assessment of risk.
With respect to the safe harbor method, the guidance clarifies whether specific data need to be removed from a given data set before it can be de-identified. It notes that derivations of one of the 18 data elements, such as a patient’s initials or last four digits of a Social Security number, are considered PHI. With respect to dates, the guidance clarifies that “[e]lements of dates that are not permitted for disclosure include the day, month, and any other information that is more specific than the year of an event” and that any dates “associated with test measures, such as those derived from a laboratory report, are directly related to a specific individual and relate to the provision of health care. Such dates are protected health information.” Finally, the guidance highlights two specific examples of the catch-all data element that is “any other unique identifying number, characteristic, or code:” (1) a bar code in a patient or prescription record and (2) an occupation such as “current President of State University.”
OCR’s guidance is detailed and should provide some clarity on the specifics on de-identification for covered entities and their business associates. Because of the widespread use of dates and other unique numbers and codes in the healthcare industry, covered entities may wish to consider availing themselves of the statistical expert method instead of the safe harbor method to ensure that their de-identification complies with the requirements of the HIPAA Privacy Rule.