Workshop on the HIPAA Privacy Rule's De-Identification Standard
The American Recovery and Reinvestment Act of 2009 (ARRA)1 requires HHS to issue guidance on methods for de-identification of protected health information (PHI) as designated in HIPAA's Privacy Rule. In response to this mandate, OCR solicited stakeholder input from experts with practical technical and policy experience to inform the creation of guidance materials. OCR collected views regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns.
To facilitate timely collection of information, OCR organized an in-person workshop that consisted of multiple panel sessions. Each panel addressed a specific topic related to the Privacy Rule’s de-identification methodologies and policies. The workshop was open to the public and each panel was followed by a question-answer period. The workshop was held March 8-9, 2010 in Washington, DC.
OCR has synthesized the input from workshop panelists and general comments to incorporate into guidance.
Background and Context
The Privacy Rule is part of a suite2 of regulations promulgated pursuant to the administrative simplification provisions of HIPAA. ARRA expanded the reach of the Privacy Rule and requires the Secretary, in consultation with stakeholders, to issue guidance on how to best implement the Privacy Rule’s current requirements for the de-identification of protected heath information under 45 CFR § 164.514 (b).
The Privacy Rule protects individually identifiable health information that is held or transmitted by covered entities and their business associates; such information is called protected health information, or PHI. When health information does not identify an individual, and there is no reasonable basis to believe that it can be used to identify an individual, it is “de-identified” and is not considered to be PHI. A covered entity may use or disclose de-identified health information for any purpose without restriction (although other laws may apply). The Privacy Rule designates two ways through which a covered entity can determine that health information is de-identified.3 The first is the “Safe Harbor” approach, which permits a covered entity to consider data to be de-identified if it removes 18 types of identifiers (e.g., names, dates, and geocodes on populations with less than 20,000 inhabitants) and has no actual knowledge that the remaining information could be used to identify an individual, either alone or in combination with other information. An alternative is the statistical approach, which permits covered entities to disclose health information in any form provided that a qualified statistical or scientific expert concludes, through the use of accepted analytic techniques, that the risk the information could be used alone, or in combination with other reasonably available information, to identify the subject is very small.
1Pub. L. No. 111-5, § 13411. 123 Stat. 115, 276
2This suite includes the Security Rule and the Standards for Transactions and Code Sets (45 CFR § 160 & 162).
3See 45 CFR § 164.514 (b)(2)