The guidance on the de-identification requirements of the HIPAA Privacy Rule was mandated under the Health Information Technology for Economic and Clinical Health (HITECH) Act, given concerns that existing rules are no longer adequate as the health care industry moves rapidly toward digitized data. According to OCR, “the increasing adoption of health information technologies in the United States accelerates their potential to facilitate beneficial studies that combine large, complex data sets from multiple sources.”
The Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. It also establishes two de-identification methods: (a) a formal determination by a qualified expert applying statistical or scientific principles that the risk of identification by an individual is very small (Expert Determination Method); or (b) the removal of 18 specified individual identifiers in combination with the absence of actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual (Safe Harbor Method). Successful application of either method yields de-identified data, the use and disclosure of which is not restricted by the Privacy Rule because it is not considered PHI.
Guidance on Satisfying the Expert Determination Method
The guidance addresses the following key issues with respect to the Expert Determination Method.
Definition of an Expert
OCR did not specifically define an “expert,” but it noted that from an enforcement perspective, it would review the academic or other training of the expert (in the statistical, mathematical, or other scientific domains), as well as the relevant actual experience of the expert using health information de-identification methodologies. This suggests that covered entities need to consider the adequacy of the qualifications of an individual who certifies that a data file is de-identified. If a covered entity does not employ such an expert, it may need to obtain appropriate consultant services.
Acceptable Method for Determining Identification Risk
Approaches to Mitigate the Risk of Identification of an Individual
Use of a Data-Sharing Agreement for De-identified Data
Guidance on Satisfying the Safe Harbor Method
The Safe Harbor Method provides that de-identification may be achieved by removing from the health information 18 specific identifiers of the individual to whom the PHI relates, and the individual’s relatives, employers, or household members, in combination with the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual. OCR provides explanation on the use of ZIP codes in de-identified information, the use of derivatives of listed identifiers, and the permitted use of dates and names. In particular, explanations provided in the guidance regarding what constitutes “any other unique identifying number, characteristic or code,” and “actual knowledge” under the Safe Harbor Method may help covered entities interpret those provisions of the Privacy Rule with greater confidence.
What Constitutes “Any Other Unique Identifying Number, Characteristic or Code”
The OCR guidance offered an explanation of what is included in the catch-all category of “any other unique identifying number, characteristic or code.” This category refers to any unique features that are not explicitly enumerated in the Safe Harbor list of specified identifiers but that could be used to identify a particular individual. Examples of such identifiers provided by OCR include clinical trial record numbers (identifying number), and the occupation of a patient, if it was listed as “current President of State University,” or similarly unique description (identifying characteristic). Similarly, a code derived from a secure hash function without a secret key, and a unique barcode embedded into patient records or their medications (identifying code) would be considered identifying elements. However, codes or other means of record identification assigned by the covered entity are not considered direct identifiers that must be removed under the Safe Harbor Method if: (a) the code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and (b) the covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism or secret key that would permit re-identification.
The guidance also emphasizes that to satisfy the Safe Harbor, a covered entity must not have “actual knowledge,” i.e., clear and direct knowledge, that the remaining information could be used either alone or in combination with other information to identify an individual who is the subject of the information.
To illustrate this principle, OCR includes an extensive explanation and provides four examples of when a covered entity would fail to meet the “actual knowledge” provision by removing the enumerated identifiers because the risk of identification is of a nature and degree that the covered entity must have concluded that the information could be used to identify individual patients.
The guidance provides that a covered entity’s mere knowledge of methods, such as statistical methods to identify remaining information or to use de-identified information alone or in combination with other information to identify an individual, by itself, does not mean that the covered entity has “actual knowledge” that the methods would be used with the data it is disclosing. Covered entities are not expected to presume that all potential recipients of de-identified data have the capacity to use such methods.
This OCR guidance provides important industry guidance, but allows considerable flexibility in ways that covered entities may de-identify PHI. This puts the onus on covered entities to carefully consider the risks associated with various methods of de-identification of PHI. In consideration of these issues, covered entities may want to include provisions in their agreements with business associates that address the responsibility for adequately de-identifying data. Further, covered entities may want to evaluate the potential use of data use agreements for their organization as a means to provide some control over the secondary uses of de-identified data.
Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our health care clients and colleagues. If you have any questions about this Alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:
M. Leeann Habte
Los Angeles, California
James R. Kalyvas
Los Angeles, California
R. Michael Scarano, Jr.
San Diego, California
Alexandre C. Nisenbaum
Los Angeles, California