The U.S. Department of Health and Human Services (HHS) recently released guidance on methods for de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  The guidance, which was required under Section 13424(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, answers questions about the two methods that can be used to satisfy the HIPAA de-identification standard in  45 C.F.R. § 164.514.  It also incorporates input from stakeholders that HHS received at a workshop held in March 2010.

As summarized in the figure below, the two methods by which health information can be designated as de-identified under HIPAA are (1) the “expert determination” method and (2) the “safe harbor” method.

 

Source:HHS Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy Rule

HHS’s guidance on the Expert Determination method of de-identification addresses a number of issues, including:

  • who constitutes an “expert”
  • the “very small” level of identification risk
  • the length of time that an expert determination is valid
  • acceptable approaches and principles for assessing the risk that health information can be identified (including the degree to which a data set can be “linked” to a data source that reveals the identity of the corresponding individuals)
  • acceptable approaches for mitigating the risk of identification
  • what constitutes a code and how it relates to PHI

HHS also describes the process for an expert determination of de-identification, which is depicted in the figure below.

Source: HHS Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy Rule

HHS’s guidance on the Safe Harbor method of de-identification further describes the circumstances under which covered entities may include the first three digits of ZIP codes in de-identified information, directing covered entities to consult the most current publicly available Bureau of Census data regarding ZIP codes. 

In addition, the Safe Harbor guidance:

  • clarifies that parts or derivatives of any of the 18 listed identifiers (including initials) may not be disclosed
  • confirms that dates associated with test measures for a patient constitute PHI and therefore cannot be reported
  • provides examples of identifiers that would fall into the category of “any other unique identifying number, characteristic, or code”

HHS also clarifies that, in the Safe Harbor context, “actual knowledge” means “clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is the subject of the information.”  The guidance describes four examples that illustrate when a covered entity would fail to meet the “actual knowledge” provision.  The examples involve a revealing occupation, a clear familial relation, a publicized clinical event, and knowledge of a recipient’s ability to identify the information, respectively.

The guidance addresses many of the thorny issues surrounding de-identification, and should be a helpful resource for covered entities and business associates seeking to de-identify health information in accordance with the HIPAA standard.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.