Guidance offered on PHI de-identification
Washington—The Department of Health and Human Services offered guidance Nov. 26 on de-identification of protected health information (PHI) for HIPAA-covered entities and their business associates. A dental practice is covered by HIPAA if it electronically transmits claims or any other HIPAA-covered transactions.
The guidance, issued two years after HHS convened a 2010 stakeholder workshop on HIPAA Privacy Rule de-identification methods, accords with “sample procedures” described in The ADA Practice Guide to HIPAA Compliance: Privacy and Security Kit. To order the ADA kit, J594—Manual, CD-ROM and Subscription Service, shop online at ADAcatalog.org or call 1-800-947-4746.
The HHS Office for Civil Rights guidance document describes methods and approaches to achieve de-identification of PHI. Properly de-identified patient information is not considered PHI and does not require patient authorization for use or disclosure.
“The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors,” the document said. Appropriate de-identification can help mitigate the risk of a Health Insurance Portability and Accountability Act violation or breach.
Protected health information generally includes information, including demographic information, that relates to an individual’s physical or mental health or condition, treatment or payment for health care, that identifies or could be used to identify the individual, and that was created or received by a health care provider, health plan, employer or clearinghouse.
PHI includes such information when transmitted or maintained by a covered entity or its business associates in any form or medium including electronic, hard copy such as paper or film, or oral. The definition exempts such individually identifiable health information as that found in employment records held by a covered entity in its role as an employer, as well as certain educational records.
The HHS Office for Civil Rights identifies two basic methods for properly de-identifying PHI but notes that no method is fail-safe. “Both methods, even when properly applied, yield de-identified data that retains some risk of identification,” the document said. “Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked to the identity of the patient to which it corresponds.”
The “safe harbor” method of de-identification calls for removal of 18 types of identifiers of the individual or of relatives, employers or household members of the individual, provided that the covered entity has no “actual knowledge” that the information could be used alone or in combination with other information to identify the individual. The “expert determination” method applies statistical and scientific principles and methods for rendering information not individually identifiable. Sample procedures for the “safe harbor” method are included in the ADA HIPAA kit, and both methods are discussed in the HHS guidance document.
“Regardless of the method by which de-identification is achieved, the privacy rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information,” the document said.
Under the HIPAA privacy rule, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe that it can be used to identify an individual.
Satisfying either method would demonstrate that a covered entity has met the standard for de-identification of protected health information in Section 164.514(a) of the HIPAA privacy rule, the guidance document said.
The document also addresses questions relevant to satisfying each method.