On November 26, 2012, the Department of Health and Human Services Office for Civil Rights (“OCR”) published a thirty-two page document titled “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (“De-Identification Guidance”). OCR described the guidance document as a culmination of two years of work by “stakeholders with practical, technical and policy experience in de-identification.” OCR also acknowledged that the guidance implements many of the issues and topics that were raised during an OCR workshop held in Washington, DC on March 8-9, 2010.
By way of background, the HIPAA Privacy Rule protects individually identifiable health information that is held or transmitted by covered entities (defined as health care providers, health plans, and health clearing houses) and their business associates (i.e., various service providers). This information is called protected health information, or PHI. The HIPAA Privacy rule imposes various rules on the uses and disclosures of PHI created or maintained by covered entities. However, once information has been de-identified, it is no longer PHI subject to the HIPAA Privacy Rule. As a way to mitigate HIPAA Privacy Rule exposure, covered entities de-identify information that would otherwise be PHI if it were not de-identified.
Under Section 164.514(b) of the HIPAA Privacy Rule, two methods may be used to de-identify PHI: (1) the expert determination method and (2) the safe harbor method. OCR was required by the Health Information Technology for Economics and Clinical Health (“HITECH”) Act to address the HIPAA Privacy Rule de-identification standard and to issue guidance. OCR’s De-Identification Guidance provides insights on OCR’s expectations for de-identification methods that should apply to traditional paper and digital records.
Expert Determination Method
Under Section 164.514(b)(1) the covered entity may determine that the PHI is de-identified only if “A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable … determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual.” The De-Identification Guidance provides additional guidance on who is an “expert” for purposes of rendering health information de-identified. OCR determined that no specific professional degree or certification program is required. Relevant expertise may be gained through various routes of education and experience but would be typically found in the statistical, mathematical or scientific fields.
The de-identification expert should document his or her relevant professional experience and academic or other training as well as the expert’s actual training using health information de-identification methodologies. The de-identification expert is also required to document the methods and results of the analysis that the expert used to reach a determination that the risk of identification of PHI is “very small.” The De-Identification Guidance does not give a numerical level for “very small” but describes it as a risk level that is determined by the expert based on the ability of an anticipated recipient to identify an individual. The risk level will depend on a number of factors such as (1) replicability; (2) data source availability; (3) distinguishability; and (4) access risk. OCR may demand the de-identification expert’s documentation supporting the expert’s training, experience, methods and results of the risk level analysis. It is recommended that the covered entity or business associate save these supporting documents.
Safe Harbor Method
The second way that PHI may be de-identified is called the safe harbor method. Under Section 164.514(b)(2) the covered entity may de-identify PHI by removing 18 specific identifiable elements relating to the individual who is the subject of the information or relatives, employers, or household members of the individual and the covered entity must have no actual knowledge that the de-identified information could be used alone or in combination with other information to identify an individual who is a subject of the information. The De-Identification Guidance clarifies (1) how covered entities may include ZIP codes in de-identified information (using the first three digits of the ZIP code and 000 if the geographic area is less than 20,000 people; (2) that patient initials or the last four digits of a Social Security number may not be used to de-identify PHI under the safe harbor method; (3) that a covered entity or business associate must record a patient’s age as “90 or above” when the patient is over 89 years old; and (4) that other unique identifying numbers, characteristics or codes such as “current President of State University” must be removed.
The De-Identification Guidance also addresses what is “actual knowledge” for the remaining information after de-identification. A covered entity has actual knowledge if it concludes that the remaining information could be used to identify the individual. OCR provides four examples in the De-Identification Guidance to illustrate when a covered entity fails to meet the “actual knowledge” provision. The examples are (1) a revealing occupation; (2) a clear familial relationship; (3) a publicized clinical event; and (4) knowledge of a recipient’s ability to re-identify the de-identified PHI.
Free Text Fields
The De-Identification Guidance warns covered entities to de-identify data entered into standardized fields and information entered as free text in unstructured fields. Free text is used regularly in the health care industry in documents such as discharge summaries, progress notes, clinical narratives and laboratory test interpretations. In order to meet the requirements of the safe harbor standard the covered entity must de-identify all PHI regardless of whether it appears in a structured field or in free text.
Practical Impact
Health plans and health providers (and their business associates) who wish to limit the information in their possession that is subject to the HIPAA Privacy Rule (thus mitigating the risk of a HIPAA Privacy Rule violation or breach) should review their de-identification processes in light of the De-Identification Guidance. Consideration should be given as to which method the entity uses for de-identification and the entity should consult the De-Identification Guidance before the PHI is de-identified.
Here is a link to OCR’s De-Identification Guidance and the OCR Website for the March 8-9, 2010 workshop on HIPAA Privacy Rule’s de-identification methodologies and policies. The website includes streaming video of the workshop.