Sizing Up De-Identification Guidance

Experts Analyze HIPAA Compliance Report

By , December 4, 2012.
Sizing Up De-Identification Guidance

New federal guidance on how to de-identify patient data used for secondary purposes, including research, provides important insights on ensuring privacy, several legal experts say. But one privacy advocate says the guidance comes up short.

See Also: Preparing for OCR Audits: Presented by Mac McMillan of the HIMSS Privacy and Policy Task Force

The guidance is "a good first step toward achieving a better-quality, less-expensive healthcare system that carries the added benefit of better protections for individual patient health records," says attorney Deven McGraw. She's chair of the HIT Policy Committee's Privacy and Security Tiger Team, which advises federal regulators.

The new report is important because "access to the vast amounts of health data increasingly available as the nation continues to roll out its all-digital health information network will provide the opportunity for the kind of rigorous data analysis that is critical if the U.S. is to realize the promise of a lower-cost, better-quality health care system," McGraw notes in a blog.

"It is just as critical that the privacy of the individuals from which that data is drawn is protected in a way that invokes trust in the system. This is where the new guidance comes into play," says McGraw, director of the health privacy project at the Center for Democracy & Technology.

Other legal experts say the guidance is helpful because it fleshes out details for the two methods of data de-identification allowed under HIPAA. For instance, it spells out examples of individually identifiable data that needs to be removed to meet the "safe harbor" method requirements. And it reaffirms that cryptography can be used to de-identify data in the "expert determination" method.

But privacy advocate Deborah Peel, M.D., founder and chair of Patient Privacy Rights, calls the new guidance "wholly inadequate," lamenting that it falls short of establishing any new requirements.

"Nothing is required, and there are no penalties for not following even the flawed approaches set out in the guidance," Peel says. "It's well-known now and was in 2010, but not when HIPAA was drafted, that completely de-identifying health data sets so that they cannot be re-identified is very difficult."

Protecting Research Data

The guidance, issued Nov. 26 by the Department of Health and Human Services' Office for Civil Rights, describes how to comply with the HIPAA Privacy Rule's de-identification requirements for aggregated information used for secondary purposes, including clinical effectiveness studies, policy assessments and life sciences research (see: Data De-Identification Guidance Offered).

The HITECH Act mandated that federal officials issue the guidance by early in 2010. "We are disappointed with how long it took the administration to release this guidance," McGraw says. "OCR held a workshop to gather stakeholder input on health data de-identification in March 2010, and this guidance was not released until nearly three years later."

Under the safe harbor de-identification method described in HIPAA, 18 elements of identifying information, such as an individual's name, address, date of birth, Social Security or medical record number, must be removed.

The expert determination method described in HIPAA involves an organization using the services of an expert "with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable."

The expert can use methods, such as encryption, to de-identify data, and then conduct an analysis to determine "that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information," the guidance explains. The expert must also document their methods and the results of their analysis.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE DHS to Scan Agencies' IT for Vulnerabilities

Prompted by Heartbleed and other vulnerabilities, the White House is giving the Department of...

Latest Tweets and Mentions

ARTICLE DHS to Scan Agencies' IT for Vulnerabilities

Prompted by Heartbleed and other vulnerabilities, the White House is giving the Department of...

The ISMG Network