Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

HHS Releases Guidance on HIPAA De-Identification Standard

Posted in Health Privacy

By Rachel Grunberger and Anna Kraus

On Monday, the U.S. Department of Health and Human Services (HHS) released guidance on methods for de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  The guidance, which was required under Section 13424(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, answers questions about the two methods that can be used to satisfy the HIPAA de-identification standard in  45 C.F.R. § 164.514.  It also incorporates input from stakeholders that HHS received at a workshop held in March 2010.

As summarized in the figure below, the two methods by which health information can be designated as de-identified under HIPAA are (1) the “expert determination” method and (2) the “safe harbor” method.

de-identification chart 1.pngSource: HHS Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy Rule

HHS’s guidance on the Expert Determination method of de-identification addresses a number of issues, including:

  • who constitutes an “expert”
  • the “very small” level of identification risk
  • the length of time that an expert determination is valid
  • acceptable approaches and principles for assessing the risk that health information can be identified (including the degree to which a data set can be “linked” to a data source that reveals the identity of the corresponding individuals)
  • acceptable approaches for mitigating the risk of identification
  • what constitutes a code and how it relates to PHI

HHS also describes the process for an expert determination of de-identification, which is depicted in the figure below.

de-identification chart 2.pngSource: HHS Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy Rule

HHS’s guidance on the Safe Harbor method of de-identification further describes the circumstances under which covered entities may include the first three digits of ZIP codes in de-identified information, directing covered entities to consult the most current publicly available Bureau of Census data regarding ZIP codes. 

In addition, the Safe Harbor guidance:

  • clarifies that parts or derivatives of any of the 18 listed identifiers (including initials) may not be disclosed
  • confirms that dates associated with test measures for a patient constitute PHI and therefore cannot be reported
  • provides examples of identifiers that would fall into the category of “any other unique identifying number, characteristic, or code”

HHS also clarifies that, in the Safe Harbor context, “actual knowledge” means “clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is the subject of the information.”  The guidance describes four examples that illustrate when a covered entity would fail to meet the “actual knowledge” provision.  The examples involve a revealing occupation, a clear familial relation, a publicized clinical event, and knowledge of a recipient’s ability to identify the information, respectively.

The guidance addresses many of the thorny issues surrounding de-identification, and should be a helpful resource for covered entities and business associates seeking to de-identify health information in accordance with the HIPAA standard.