United States: HIPAA De-Identification Guidance

Office of Civil Rights has released additional guidance addressing the de-identification of protected health information in accordance with the HIPAA Privacy Rule. Covered entities should review their current de-identification methods and make any necessary changes to comply with the new guidance.

On November 26, 2012, the Office for Civil Rights (OCR) released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (Privacy Rule).

The guidance largely restates prior interpretive guidance to and health care industry understandings of the Privacy Rule's de-identification standard. Since the guidance follows a lengthy process of public meetings and other opportunities for input from stakeholders, it appears that OCR has determined that the current de-identification standard strikes an appropriate balance between individuals' interest in the privacy of their personal information and the interests of the research community and other data users. For more information about OCR's proposed modifications to the Privacy Rule, see McDermott's White Paper "OCR Issues Proposed Modifications to HIPAA Privacy and Security Rules to Implement HITECH Act".

Background

The Privacy Rule applies to PHI, which is individually identifiable health information (subject to certain limited exceptions). Individually identifiable health information is defined as follows:

  • Information created or received by a health care provider, health plan, employer or health care clearinghouse
  • Information that relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual
  • Information that identifies the individual, or with respect to which there is a reasonable basis on the part of the disclosing entity for believing that the information may be used to identify the individual

The HIPAA Privacy Rule provides a pathway for covered entities and other health data users to create and then use and disclose de-identified health information outside the disclosure restrictions on PHI. De-identified information is health information that does not identify an individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.

The Privacy Rule establishes two methods for a covered entity to de-identify information: (1) obtaining a professional statistical analysis and opinion regarding de-identification; or (2) removing 18 specific identifiers.

Removal of 18 Specific Identifiers Method

Information is deemed to be de-identified if all of the following identifiers of the individual or of relatives, employers or household members of the individual are removed, and the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information:

  • Names
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code and their equivalent geocodes, except for the initial three digits of a ZIP code if, according to the current publicly available data from the Bureau of the Census, (1) the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people, and (2) the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people are changed to 000
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date and date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of "age 90 or older"
  • Telephone numbers
  • Fax numbers
  • E-mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full-face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code

Professional Statistical Analysis

Information will be deemed to be de-identified for HIPAA compliance purposes if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable takes the following actions:

  • Applies such principles and methods, and determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information
  • Documents the methods and results of the analysis that justify such determination

Covered entities, business associates and other data users often choose the Professional Statistical Analysis approach (and incur the professional's fees) instead of relying upon the Removal of 18 Specific Identifiers approach, because the professional may issue an opinion that allows certain of the 18 identifiers to be included in the de-identified data set.

General Guidance

The guidance reaffirms the long-held understanding that a covered entity may engage a business associate to de-identify PHI on the covered entity's behalf—for example, if the covered entity does not have the experience or resources to perform the data scrubbing. The guidance stresses, however, that the business associate agreement must expressly authorize the business associate to perform this activity. Thus, in light of this guidance, business associate agreements that refer generally to health care operations may not be sufficient to direct the business associate to perform de-identification services.

Additional Guidance with Respect to the Removal of 18 Specific Identifiers Method

The guidance provides additional details with respect to the Removal of 18 Specific Identifiers Method. Below are summarized some of the relevant provisions.

May parts or derivatives of any of the listed identifiers be disclosed consistent with the Removal of 18 Specific Identifiers Method?

  • No. For example, a data set that contained patient initials or the last four digits of a Social Security number would not meet the requirement of the Removal of 18 Specific Identifiers Method for de-identification.

What are examples of dates that are not permitted according to the Removal of 18 Specific Identifiers Method?

  • Elements of dates that are not permitted for disclosure include the day, month and any other information that is more specific than the year of an event. For instance, the date January 1, 2009, could not be reported at this level of detail. However, it could be reported in a de-identified data set as 2009.
  • Many records contain dates of service or other events that imply age. Ages that are explicitly stated or implied as over 89 years old must be recoded as 90 or above. For example, if the patient's year of birth is 1910 and the year of health care service is reported as 2010, then in the de-identified data set the year of birth should be reported as "on or before 1920." Otherwise, a recipient of the data set would learn that the age of the patient is approximately 100.

Can dates associated with test measures for a patient be reported in accordance with Safe Harbor?

  • No, except as provided above.

What constitutes "any other unique identifying number, characteristic or code" with respect to the Removal of 18 Specific Identifiers Method of the Privacy Rule?

  • This category corresponds to any unique features that are not explicitly enumerated in the Safe Harbor list (A–Q) but could be used to identify a particular individual. Examples include indentifying numbers, codes or characteristics.

What is "actual knowledge" that the remaining information could be used either alone or in combination with other information to identify an individual who is a subject of the information?

  • The guidance provides that "actual knowledge" means clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is a subject of the information. This means that a covered entity has actual knowledge if it concludes that the remaining information could be used to identify the individual. The covered entity, in other words, is aware that the information is not actually de-identified information.

Must a covered entity suppress all personal names, such as physician names, from health information for it to be designated as de-identified?

  • No. Only names of the individuals associated with the corresponding health information (i.e., the subjects of the records) and of their relatives, employers and household members must be suppressed.

Must a covered entity remove protected health information from free text fields to satisfy the Removal of 18 Specific Identifiers Method?

  • The guidance notes the risk associated with contextual identifiers in free text and other unstructured data fields (such as physician progress notes of a medical record). When relying on the removal of the 18 identifiers to achieve de-identification, covered entities should take special care to ensure that unstructured data fields do not contain stray identifiers (for example, a hand-written name on an x-ray scan) or information that could be used to re-identify the patient (such as noteworthy professional or athletic roles or accomplishments).

Must a covered entity use a data-use agreement when sharing de-identified data to satisfy the Removal of 18 Specific Identifiers Method?

  • No. As stated above, the Privacy Rule does not limit how a covered entity may disclose de-identified health information. However, the guidance notes that a covered entity may require the recipient of de-identified information to enter into a data-use agreement. A covered entity should enter into such a use agreement to address intellectual property ownership issues (such as who owns the de-identified data set) and any business concerns regarding the purposes for which the data set may be utilized.

It is also noteworthy that the guidance does not address the emerging question of whether genetic information is an example of a "unique code" under the 18th identifier.

Additional Guidance with Respect to the Professional Statistical Analysis Approach

The guidance provides additional details with respect to the Professional Statistical Analysis approach. Most of this guidance is directed towards the "expert" chosen by the covered entity. Below are summarized some of the relevant provisions.

Who is an "expert?"

  • The guidance provides that there is no specific professional degree or certification program for designating who is an expert at rendering health information de-identified. Suggested experts include individuals with statistical, mathematical or other scientific backgrounds. From an enforcement perspective, OCR would review the relevant professional experience and academic or other training of the expert used by the covered entity, as well as actual experience of the expert using health information de-identification methodologies.

What is an acceptable level of identification risk for an expert determination?

  • The guidance states that there is no explicit numerical level of identification risk that is deemed to universally meet the "very small" level indicated by the method. The analysis is more of a facts and circumstances analysis based on the ability of a recipient of information to identify an individual (i.e., subject of the information). This is notable as it preserves a degree of latitude for statistical experts engaged to de-identify information to place "very small risk" into context informed by any number of relevant factors, including the specific intended recipient. It also demonstrates that OCR recognizes that a "very small" risk of re-identification is not the same as no risk, and that covered entities are not out of compliance if re-identification occurs despite the statistical expert's expectation that it would not.

How long is an expert determination valid for a given data set?

  • There is no per se expiration date. The guidance does, however, state that experts recognize that technology, social conditions and the availability of information changes over time. For example, the U.S. Department of Commerce's release of U.S. census data may affect the ongoing validity of a statistical opinion. Thus, experts should assess the expected change of computational capability, as well as access to various data sources, and then determine an appropriate timeframe within which the health information will be considered reasonably protected from identification of an individual. Covered entities and others requesting statistical opinions should expect the expert to request that the statistical opinion only be valid for a certain length of time and factor in the cost of renewals of the opinion when deciding whether to pursue the Professional Statistical Analysis over the Removal of 18 Specific Identifiers Method.
  • Information that had previously been de-identified may still be adequately de-identified when the certification limit has been reached. When the certification timeframe reaches its conclusion, it does not imply that the data that has already been disseminated is no longer sufficiently protected in accordance with the de-identification standard. Covered entities will be obliged to have an expert examine whether future releases of the data to the same recipient (e.g., monthly reporting) should be subject to additional or different de-identification processes consistent with current conditions to reach the very low risk requirement.

How do experts assess the risk of identification of information?

  • The guidance provides that there is no single universal solution that addresses all privacy and identifiability issues. The guidance suggests that a combination of technical and policy procedures be applied to the de-identification task. A sample workflow for expert determination is depicted in the guidance in the form of a flowchart. In addition, a sample chart is provided to demonstrate the principles used by experts in the determination of the identifiability of health information.
  • The guidance recognizes that the Professional Statistical Analysis is an iterative process that takes into account a number of factors. For example, one might expect that specific details regarding the covered entity, the covered entity's data co-mingling systems, the data recipient, the data itself and many other factors would inform the judgment. This underscores that it is not just the specific data fields that are included that inform whether information is de-identified, but also the entire data-sharing arrangement. It also suggests that a covered entity might require multiple statistical opinions to govern different data-sharing arrangements and that a data set deemed de-identified in one context might remain identifiable in another, even within the same covered entity. Covered entities should consider whether the expert should document the range of circumstances under which the opinion is valid.

What are the approaches by which an expert assesses the risk that health information can be identified?

There is no bright line rule. The de-identification standard does not mandate a particular method for assessing risk, but it does provide a survey of potential approaches.

Must a covered entity use a data-use agreement when sharing de-identified data to satisfy the Expert Determination Method?

No. The Privacy Rule does not require a covered entity to enter into a data-use agreement in order to share a de-identified data set. However, as noted above, it is recommended that a covered entity should enter into a data-use agreement to address intellectual property ownership issues (such as who owns the de-identified data set) and business concerns regarding the purposes for which the data set may be utilized.

Next Steps

Covered entities (and business associates with the right to de-identify PHI that they receive from their customers) should review their current de-identification methods in light of the guidance and make any necessary changes to comply with the new guidance. As part of the review, data users should consider whether a previously issued opinion needs to be refreshed in light of new publicly available data sources, such as census data. If you have any questions, contact your regular McDermott Will & Emery lawyer or one of the contacts listed to the right for assistance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions