HIPAA places tight restrictions on the use and disclosure of protected health information, but there are many ways to “de-identify” it, freeing it from HIPAA’s constraints. Covered entities and business associates can use de-identification to reduce their exposure to HIPAA and expand their use of health data. On Nov. 26, 2012, the HHS Office for Civil Rights released guidance on how health information may be de-identified. While the guidance does not break much new ground, it offers some helpful clarification.
The guidance on de-identification, which was mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, part of the American Recovery and Reinvestment Act of 2009, discusses the two methods of de-identification under HIPAA: (1) the “expert determination method” and (2) the “safe harbor method.”
The expert determination method involves a person with appropriate statistical and scientific knowledge and experience determining that the risk of identification is “very small.” The guidance discusses techniques for reducing the risk of identification. The guidance confirms that the expert may rely on traditional statistical techniques, contractual protections such as a data use agreement, and cryptographic techniques such as “hashing” to reduce the risk of identification. These techniques allow retention of more dates and geographic information and can allow linkage of multiple de-identified data sets.
The safe harbor method involves the removal of 18 identifiers and the covered entity not having actual knowledge that the resulting information can be used to identify an individual. The guidance makes plain how stringent this method can be, confirming that any element of a date more specific than a year that relates to an event may not be included. The guidance clarifies what is meant by “actual knowledge.” Knowing that a data set includes a unique characteristic, such as a unique employment position, means that the information does not pass the safe harbor test. In contrast, merely knowing that there is a risk of identification, such as knowledge of a study suggesting that a data set could be re-identified, does not cause a data set to fail the safe harbor test. Knowledge of publicity, such as knowledge that a particular clinical case has been the subject of news reports, can cause information to fail the safe harbor set.
The guidance teaches two key lessons. First, health information generally is considered to be individually identifiable unless some stringent requirements are met. It is important for members of the workforce to know that seemingly anonymous pieces of information may fail the de-identification tests (e.g., because they implicate a date). Second, with the use of an appropriate expert, there remains ways to de-identify information while retaining important properties that otherwise might be lost through application of the safe harbor method.