Wednesday, November 28, 2012
On November 26, 2012, the Office for Civil Rights Division of the Department of Health and Human Services announced that a guide has been released regarding methods for the de-identification of protected health information in accordance with the Privacy Rule of HIPAA. The privacy rule sets forth the standard for de-identification of protected health information as follows: health information is not individually identifiable if it does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. The Privacy rule goes on to state the two methods that can be used to satisfy the afore-mentioned standard: expert determination and a safe harbor.
Under the expert determination method of de-identification, "a person with appropriate knowledge and experience with generally acceptable statistical and scientific principles and methods for rendering information not individually identifiable" has to determine that the risk is small that the anticipated recipient could use the information to identify the individual and then documents the methods and results of the analysis he/she used to make that determination.
The safe harbor method requires that a covered entity removes all 18 enumerated identifiers from the data to be disclosed, and must not have actually knowledge that the information could be used to identify an individual who is the subject of the information. Once the data is de-identified in accordance with this method, a covered entity does not have to enter into a data use agreement with the recipient.
See HiPAA De-Identification Guidance Published, McGuire Woods, Nov. 28, 2012.
Special thanks to Brian Cohan (Attorney at Law, Law Offices of Brian J. Cohan, P.C.) for bringing this article to my attention.