On November 26 2012 the Office for Civil Rights (OCR) of the US Department of Health and Human Services issued important new guidance regarding the two existing methods by which covered entities may de-identify protected health information in accordance with the privacy rule promulgated under the Health Insurance Portability and Accountability Act 1996. While the privacy rule has long permitted covered entities to de-identify protected health information through one of two methods (ie, expert determination or the safe harbour method), the guidance sheds new light on the general processes by which de-identified information may be properly created and the options available for de-identifying protected health information in accordance with the privacy rule. The new guidance was developed in consultation with stakeholders, as required by the Health Information Technology for Economic and Clinical Health Act.
The guidance applies to covered entities (ie, healthcare providers that conduct certain standard administrative and financial transactions in electronic form, healthcare clearing houses and health plans) and their business associates (ie, a person or entity – other than a member of the covered entity's workforce – that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information). Importantly, the guidance states that a covered entity may use a business associate to de-identify protected health information on its behalf only to the extent that such activity is authorised by their business associate agreement.
With respect to the expert determination method, the OCR provides extensive guidance regarding an array of topics, including who may be an expert for the purpose of rendering a de-identification opinion. While no specific professional degree is required, the OCR cautions that from an enforcement standpoint, the professional and actual experience of the expert would be evaluated by the OCR if it had cause to review an expert determination.(1) The guidance notes that various approaches by an expert may render a de-identification opinion. No particular approach is required, but a qualified expert should apply generally accepted statistical or scientific approaches to compute the likelihood that a record in a data set could be re-identified.(2) The guidance also clarifies that:
- there is "no explicit numerical level of identification risk" that would constitute a "very small" risk that the protected health information could be used to re-identify an individual; and
- experts must use their judgement to determine whether the risk is very small, based on the facts and circumstances surrounding the data set.(3)
Additionally, the guidance states that while the Health Insurance Portability and Accountability Act privacy rule does not require that expert determinations be subject to an expiration date, experts should consider attaching a time-limited certification to opinions they provide in order to take into account evolving technology and social conditions, among other factors.(4)
The guidance next reiterates the rigidity of the safe harbour method of de-identification. Consistent with the privacy rule, the OCR states that examples of dates that are not permitted under the safe harbour method include the day, month and any other information that is more specific than the year of the health event, including dates associated with test measures contained in laboratory reports. The OCR also takes an expansive view of types of information that could constitute any other unique identifier, including:
- identifying numbers (eg, clinical trial record numbers);
- identifying codes (eg, barcodes assigned to patient records and prescriptions); or
- identifying characteristics (eg, 'current president of state university').(5)
Additionally, the OCR clarifies that the actual knowledge standard, in the context of the safe harbour, means "clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is the subject of the information". Examples of information that could fail the actual knowledge standard, if allowed to remain in a data set or if combined with other information, include:
- a revealing occupation (eg, a patient is listed in a record as 'former president of state university');
- a clear familial relationship (eg, a researcher employed by a covered entity who receives information on a family member in the data set provided by the covered entity); and
- publicised clinical events (eg, a patient giving birth to an unusually large number of children at the same time).(6)
The new guidance, along with the highly anticipated Health Information Technology for Economic and Clinical Health Act final rule that many people believe will be published in the coming months, may signal that the OCR will make proper de-identification of protected health information an enforcement priority in the years ahead.(7)
For further information on this topic please contact Anna Spencer or Meena Datta at Sidley Austin LLP by telephone (+1 202 736 8600), fax (+1 202 736 8711) or email ([email protected] or [email protected]).
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
Endnotes
(7) The new guidance is currently posted on the OCR website and is available at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.
