Earlier this week the U.S. Department of Health and Human Services Office of Civil Rights (OCR) released guidance for covered entities regarding methods and approaches to achieve de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  The guidance assists covered entities with understanding what de-identification is, the general process by which de-identified information is created, and the options available for performing de-identification.

OCR’s guidance outlines two methods that can be used to satisfy the Privacy Rule’s de-identification standard: (1) expert determination and (2) safe harbor.  The expert determination method requires: (a) application of statistical or scientific principles and (b) the determination that there is a very small risk that the information could be used by an anticipated recipient – alone or in combination with other reasonably available information – to identify an individual who is a subject of the information.  The safe harbor method requires: (a) removal of 18 types of identifiers and (b) no actual knowledge that residual information can identify an individual who is a subject of the information.  The de-identification methods are illustrated by OCR as:

[Available via OCR's guidance (linked above).]

The guidance also provides answers to industry questions regarding the expert determination and safe harbor methods of de-identification.  With regard to the expert determination method, the guidance addresses, among other topics: (1) qualifications of an expert; (2) an acceptable level of and method for determining identification risk; (3) approaches by which an expert assesses the risk that health information can be identified and mitigates the risk of identification of an individual in health information; and (4) when a data-use agreement should be used.

The guidance addresses the following topics, among others, related to the safe harbor method: (1) use of the first three digits of a ZIP code in de-identified information; (2) the prohibition against disclosing parts or derivatives of any of the identifiers; (3) examples of prohibited dates; (4) what constitutes “any other unique identifying number, characteristic, or code” for purposes of the Privacy Rule; and (5) what constitutes actual knowledge regarding potential use of information.

OCR’s guidance provides useful information on de-identification for privacy officers and others who deal with the exchange of PHI.  The guidance was developed based on comments from stakeholders attending OCR’s public de-identification workshop in 2010.  A webcast of OCR’s de-identification workshop is available here.