OCR Releases HIPAA Guidance on De-Identification of PHI

Health Law

Email

414-287-1514

Bio and Articles

Find Your Next Job !

Litigation Paralegal
Greenberg Traurig, LLP

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Legal Support Specialist
Greenberg Traurig, LLP

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Chief Operating Officer / Business Manager
On Balance Search Consultants

Explore More Job Openings

OCR Releases HIPAA Guidance on De-Identification of PHI

by: Health Law of von Briesen & Roper, s.c. - Health Law

Wednesday, November 28, 2012

Print Mail Download info_icon_img

/>i

Earlier this week the U.S. Department of Health and Human Services Office of Civil Rights (OCR) released guidance for covered entities regarding methods and approaches to achieve de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The guidance assists covered entities with understanding what de-identification is, the general process by which de-identified information is created, and the options available for performing de-identification.

OCR’s guidance outlines two methods that can be used to satisfy the Privacy Rule’s de-identification standard: (1) expert determination and (2) safe harbor. The expert determination method requires: (a) application of statistical or scientific principles and (b) the determination that there is a very small risk that the information could be used by an anticipated recipient – alone or in combination with other reasonably available information – to identify an individual who is a subject of the information. The safe harbor method requires: (a) removal of 18 types of identifiers and (b) no actual knowledge that residual information can identify an individual who is a subject of the information. The de-identification methods are illustrated by OCR as:

De-Identification Methods

[Available via OCR's guidance (linked above).]

The guidance also provides answers to industry questions regarding the expert determination and safe harbor methods of de-identification. With regard to the expert determination method, the guidance addresses, among other topics: (1) qualifications of an expert; (2) an acceptable level of and method for determining identification risk; (3) approaches by which an expert assesses the risk that health information can be identified and mitigates the risk of identification of an individual in health information; and (4) when a data-use agreement should be used.

The guidance addresses the following topics, among others, related to the safe harbor method: (1) use of the first three digits of a ZIP code in de-identified information; (2) the prohibition against disclosing parts or derivatives of any of the identifiers; (3) examples of prohibited dates; (4) what constitutes “any other unique identifying number, characteristic, or code” for purposes of the Privacy Rule; and (5) what constitutes actual knowledge regarding potential use of information.

OCR’s guidance provides useful information on de-identification for privacy officers and others who deal with the exchange of PHI. The guidance was developed based on comments from stakeholders attending OCR’s public de-identification workshop in 2010. A webcast of OCR’s de-identification workshop is available here.