Background
On November 26, 2012, the Office for Civil Rights (“OCR”) released guidance regarding methods and approaches to achieve de-identification of protected health information (“PHI”) in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Congress mandated in the American Recovery and Reinvestment Act of 2009 that OCR issue such guidance.
Discussion
OCR developed this guidance by soliciting in-person input from stakeholders with practical, technical and policy experience in de-identification at a public workshop held in Washington, D.C., March 8-9, 2010. This guidance was derived from input at the conference, previous guidance on this topic and the current industry understanding of de-identification standards and procedures.
The guidance discusses in detail the two separate methods of de-identifying PHI set forth in the HIPAA Privacy Rule: the Expert Determination Method and the Safe Harbor Method. These two methods are the only methods by which identifying information can be removed from PHI so that it complies with the HIPAA de-identification standard at 45 CFR 164.514(b), which requires that information be stripped of PHI so that there is “no reasonable basis” to believe that the information can be used to identify an individual.
In short, the Expert Determination Method requires a covered entity to obtain a written analysis from a qualified person that, after applying generally accepted statistical and scientific principles, there is a very small risk that the information could be used to identify an individual who is a subject of the information. The Safe Harbor Method requires the removal of 18 specific identifiers and requires that the organization have no actual knowledge that the remaining information could be used to identify an individual who is a subject of the information. The guidance discusses the specifics of each method and gives tips and examples on how to comply.
Practical Takeaways
While the November 26, 2012 OCR guidance does not shed new light on the way health care providers approach PHI de-identification, it does provide a comprehensive summary of de-identification options and procedures. Given the detailed and technical nature of the HIPAA de-identification standard, covered entities should:
- Review the November 26, 2012 guidance;
- Confirm that its organization has a HIPAA-compliant PHI de-identification policy;
- Make sure workforce members are following that policy, as applicable, and are aware of the importance of protecting PHI in today’s health care environment.
The guidance can be found here.
If you would like additional information, please contact:
- Charise Frazier at (317) 338-9236 or cfrazier@hallrender.com;
- Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com;
- Ellen Chambers at (317) 429-3642 or echambers@hallrender.com; or
- Your regular Hall Render attorney.
