On November 26, 2012, the Department of Health and Human Services Office for Civil Rights ("OCR") published a thirty-two page document titled "Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule" ("De-Identification Guidance"). OCR described the guidance document as a culmination of two years of work by "stakeholders with practical, technical and policy experience in de-identification." OCR also acknowledged that the guidance implements many of the issues and topics that were raised during an OCR workshop held in Washington, DC on March 8-9, 2010.
By way of background, the HIPAA Privacy Rule protects individually identifiable health information that is held or transmitted by covered entities (defined as health care providers, health plans, and health clearing houses) and their business associates (i.e., various service providers). This information is called protected health information, or PHI. The HIPAA Privacy rule imposes various rules on the uses and disclosures of PHI created or maintained by covered entities. However, once information has been de-identified, it is no longer PHI subject to the HIPAA Privacy Rule. As a way to mitigate HIPAA Privacy Rule exposure, covered entities de-identify information that would otherwise be PHI if it were not de-identified.
Under Section 164.514(b) of the HIPAA Privacy Rule, two methods may be used to de-identify PHI: (1) the expert determination method and (2) the safe harbor method. OCR was required by the Health Information Technology for Economics and Clinical Health ("HITECH") Act to address the HIPAA Privacy Rule de-identification standard and to issue guidance. OCR's De-Identification Guidance provides insights on OCR's expectations for de-identification methods that should apply to traditional paper and digital records.
Expert Determination Method
Under Section 164.514(b)(1) the covered entity may determine that the PHI is de-identified only if "A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable ... determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual." The De-Identification Guidance...