Data De-Identification Guidance OfferedInsights on Privacy Protection for Health Research
Federal officials have finally released long-overdue guidance on how to de-identify patient information used for research.
The guidance on how to meet the somewhat sketchy de-identification requirements of the HIPAA Privacy Rule was mandated under the HITECH Act, which called for the advice to be issued early in 2010.
In June, the Government Accountability Office issued a report criticizing the Department of Health and Human Services for its tardiness in releasing the guidance, which GAO blamed on "competing [HHS] priorities for resources and internal review." (see: GAO Presses HHS for Privacy Guidance).
The guidance from the HHS Office for Civil Rights outlines methods for how to de-identify aggregated information for secondary uses, including clinical effectiveness studies, policy assessments and life sciences research.
Meeting HIPAA Requirements
The 32-page OCR report provides in-depth details about methods and approaches to achieve de-identification of protected health information in accordance with the HIPAA Privacy Rule. That includes explanations and answers to questions regarding the "expert determination" and "safe harbor" methods to satisfy the rule's de-identification standard.
The expert determination method requires that an expert on statistical and scientific principles and methods for rendering information not individually identifiable has determined that the risk of re-identifying the information is very small. That means there's little risk the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information. The expert also must document the methods and results of the analysis that justify the determination.
The safe harbor method involves the removal of 18 types of identifiers, including names, addresses, zip codes, Social Security numbers and medical record numbers. Also, it requires that the covered entity does not have knowledge that the information could be used alone, or in combination, with other information, to identify an individual who is a subject of the information."This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification," the OCR document states. In developing the guidance, OCR "solicited input from stakeholders with practical, technical and policy experience in de-identification."
Among the list of topics covered by the guidance are:
- Definitions of the de-identification standard and insights on how to prepare for de-identification of PHI;
- Details on satisfying the expert determination method for data de-identification, including an explanation of how this method has been applied outside the healthcare field;
- Details on satisfying the safe harbor method of de-identifying PHI, including when ZIP codes can be included in de-identified data, and also the utilization of data use agreements when sharing de-identified information.