Content created by Office for Human Research Protections (OHRP)
The Final Privacy Rule essentially retains the list of 18 identifiers that must be stripped from data for those data to be considered "de-identified" and thus outside of the definition of PHI. For the efficiency of essential records research, SACHRP encourages the Department to reconsider its de-identification standard, reduce the number of data categories to be eliminated, and focus regulatory attention on the safeguards that researchers using such information should respect in recording and publishing data. An alternate, "goal-oriented" revision of these de-identification requirements could protect subjects' privacy while not making critical research excessively costly and troublesome. Although the addition of the limited data set category provides researchers with some flexibility, that category adds to the confusion surrounding retrospective records research, and requires additional significant administrative burdens in its requirement of a data use agreement between the Covered Entity disclosing the limited data set and the recipient of the data. SACHRP contends that the standard for de-identification under HIPAA should be more closely aligned with the research community's historic standard for what constitutes identifiable private information under the Common Rule. Indeed, there have been few, if any, reported abuses of research subjects or compromises of their privacy under the historic interpretations of anonymized data under the Common Rule standards, leading SACHRP to question the necessity of all aspects of the Privacy Rule's de-identification standard. If there were no cost associated with those higher standards, they might be tolerable, but in this as in other areas, little if any additional actual protection appears to have been added to subjects' privacy while significant new costs and burdens have been imposed on the research enterprise - an enterprise that in the aggregate greatly benefits communitarian interests.