HHS Details Accepted De-Identification Methods For PHI

 

The Department of Health and Human Services (HHS) has issued guidance, primarily in a question-and-answer format, on the methods and approaches necessary to achieve de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance on the de-identification of PHI reflects input received from the Office for Civil Rights (OCR) from stakeholders with practical, technical, and policy experience in de-identification, and it was required to be issued by the HHS under Sec. 13424(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA’s privacy rule protects most “individually identifiable health information” that would contain a patient’s name and/or other identifying information associated with health data content, and would include such documents as medical records, laboratory reports, or hospital bills.

Although only certain uses and disclosures of PHI are permitted by HIPAA’s privacy rule, HHS Reg. Sec. 164.502(d) does permit covered entities or business associates to use PHI to create information that is not individually identifiable by following the de-identification standard and implementation specifications of HHS Reg. Sec. 164.514. Under the relevant standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. The implementation specifications provide two methods for de-identification: (1) the expert determination method (HHS Reg. Sec. 164.514(b)(1)), which involves a person with appropriate knowledge and experience applying statistical or scientific principals and determining that the risk is very small that a recipient could identify an individual who is the subjection of the PHI, and (2) the safe harbor method, found at HHS Reg. Sec. 164.514(b)(2), which involves the removal from the PHI of 18 types of personal identifiers, such as names and geographical locations. HHS Reg. Sec. 164.514(c) also provides directions for covered entities to re-identify PHI, as necessary.

Expert determination method. The HHS points out that the notion of expert certification is not unique to the health care field, and says that relevant expertise for purposes of the expert determination method may be gained in a variety of ways.

Some of the guidance provided by the HHS is still a bit vague. The HHS states that it has no specific numerical level of PHI risk that would universally meet this method’s required “very small” risk level. It would be up to the expert, the HHS says, to determine an appropriate timeframe within which the PHI will be considered reasonably protected from identification of an individual.

The HHS also states that an expert will be permitted to drive multiple solutions from the same data set for a recipient. In those instances, care must be taken, the HHS cautions, to ensure that data sets cannot be combined to compromise the necessary protections.

There also is no single universal solution, says the HHS, that would address all privacy and identifiability issues, and no particular process will be required for an expert to use to reach a determination that the risk of identification is very small. No particular method will be required for assessing risk.

Furthermore, no particular approach is required to mitigate, or reduce to very small, any identification risk, although a survey of potential approaches is included in the HHS guidance. It is required, however, that the methods and results used to justify any determination be documented and made available to the OCR upon request.

The guidance includes a general workflow chart for expert determinations as well as a table containing descriptions of principles to use when considering the identification risk of health information.

The HHS points out that there has been confusion with regard to what constitutes a code and how it relates to PHI, and, for clarification, the HHS quotes guidance from the National Institutes of Standards and Technology (NIST) and adds that, in line with the NIST guidance, covered entities may disclose codes derived from PHI as part of a de-identified data set if an expert determines that the data meets the de-identification requirements of HHS Reg. Sec. 164.514(b)(1).

Finally, although there is no limit in the privacy rule for the disclosure of de-identified PHI, the HHS points out that covered entities could always require recipients of de-identified information to enter into a data use agreement that would prohibit re-identification.

Safe harbor method. The HHS states that the first three digits of ZIP codes may be included in de-identified information unless the ZIP codes contain the initial three digits listed in a table of 17 restricted ZIP codes provided in the guidance.

The HHS also states that a data set containing patient initials or the last four digits of a Social Security number would not meet the requirements for the safe harbor method of de-identification. Dates that would not be permitted include any that are more specific than the year of an event, as well as dates associated with test measures, such as those derived from a lab report.

The HHS also advises that covered entities ensure that data sets stripped of explicitly enumerated identifiers do not contain other unique features that may not be on the safe harbor list provided in the guidance of 18 identifiers that must be removed. Those other unique features might include such things as unusual occupations or barcodes that pertain to particular patients.

The guidance also includes examples of when covered entities would fail to meet the “actual knowledge” standard, so that remaining information could be used to identify the person who is the subject of the information. Such examples include a revealing occupation, such as president of a state university, a clear familial relation, perhaps to the recipient of the information, or a publicized clinical event, when, for example, a patient might be in the news for giving birth to an unusually large number of children.

The HHS states that a covered entity’s mere awareness of studies about methods to either identify remaining information or use de-identified information alone or in combination with other information to identify an individual does not, by itself, mean that it has “actual knowledge” that those methods would be used with the data it is disclosing.

Also, covered entities do not necessarily have to suppress all personal names, such as physician names, from health information for the information to be designated as de-identified, and PHI does not necessarily have to be removed from free text fields to satisfy the safe harbor method, but if a free text field identifier is listed in the safe harbor standard or would otherwise cause the covered entity to fail to meet the “actual knowledge” provision, it must be removed.

In the new guidance the HHS also emphasizes the importance of sufficient documentation for the de-identification process, and cautions that esoteric notations, such as acronyms understood only by the covered entity’s employees, may lead to incomplete redaction of necessary information. Finally, the guidance includes, at the end, a glossary containing terms such as “covered entity” and “protected health information” that are paraphrased from regulatory text.

For more information, visit http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html and http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf.

Visit our News Library to read more news stories.