OCR Releases HIPAA De-identification Q&A Guidance
With the weekend coming up, why not take a break from the holiday frenzy and read through OCR's new HIPAA De-identification guidance. The approximately 30-page guidance document is an easy read, even for those of us who aren't statistically savvy.
Covered entities are generally prohibited from disclosing protected health information (PHI) without authorization or as permitted/required by HIPAA unless it has been appropriately de-identified. HIPAA sets forth two specific methods in which PHI may be considered de-identified: the Statistical method, or Expert Determination, and the Safe Harbor standard. Once de-identified, the data may be used for a variety of purposes.
The HITECH Act required the Secretary of HHS to issue guidance on implementing HIPAA de-identification, no later than 12 months after its enactment. However, the guidance wasn't released until this past November, even though HHS and OCR had held a workshop on de-identification in 2010 that brought together policy, technical and statistical experts to discuss the challenges to de-identification and the ever increasing risk of re-identification.
The document primarily addresses methods and approaches under the HIPAA Expert Determination method, in addition to the Safe Harbor standard in a question-and-answer format. With various tables and scenarios, the guidance highlights the general acceptable approaches for achieving de-identification and strategies to minimize information loss through de-identification.
Although the guidance is general and broad, it does provide answers to many discrete questions, including use of zip codes and dates, and the catch-all “any other unique identifying number, characteristic or code” with respect to the Safe Harbor identifiers which must be removed. OCR also clarified what “actual knowledge” means. In addition to removing all required identifiers, a covered entity will only qualify under the Safe Harbor standard if it does not have “actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” OCR stated that,
“…[A]ctual knowledge means clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is a subject of the information….The covered entity, in other words, is aware that the information is not actually de-identified.”
OCR specifically noted that mere knowledge of the existence of specific studies about methods for re-identifying health information or using de-identified health information alone or in combination with other information to identify an individual, by itself, does not mean it has “actual knowledge” that those methods would be used with the data it is disclosing.
The guidance document notably does not define what it means to be an "expert" for purposes of de-identification under the Expert Determination method. Rather, the document notes that,
“Relevant expertise may be gained through various routes of education and experiences….From an enforcement perspective, OCR would review the relevant professional experience and academic or other training of the expert used…, as well as actual experience of the expert using health information de-identification methodologies.”
Likewise, it does not define or set the acceptable level of risk that would meet the “very small” level required by HIPAA. Identification risk is, instead, dependent upon a variety of factors which the expert would need to take into account when assessing the risk for a particular data set given the context, environment and anticipated recipient(s).
The guidance document devotes several pages to how experts assess the risk of identification of information, as well as potential approaches for doing so. Although OCR noted that it does not require a particular process, nor a particular method, and that there is no universal “one-size-fits-all” solution, it provided general workflows, principles and approaches as a general understanding of the process that would ordinarily be part of an expert determination.
The full guidance document can be found here. Covered entities will need to review the guidance and tailor their policies and processes accordingly, in light of the clarification provided by OCR on several issues. Covered entities should further ensure that their business associates are aware of and following the guidance when conducting de-identification on their behaf.