In this moment of ever-advancing technology and massive data collection initiatives, laws and business practices have struggled to keep up with new and persistent data privacy and security risks. Despite its age, HIPAA—enacted over 25 years ago—remains a critical regulatory framework for protecting and safeguarding health information in the healthcare industry.
To strike a balance between the utility of data and safeguarding patient confidentiality, HIPAA provides guidelines for de-identifying protected health information (PHI); however, de-identification is not without its challenges. At its core, de-identification involves stripping away personally identifiable elements from health data to ensure that the resulting data set cannot be traced back to individuals and patients.
The two primary methods
The HIPAA Privacy Rule permits organizations to use two primary methods to de-identify health information: “expert determination” and “safe harbor.”[1] Satisfying either method demonstrates that the organization has met the de-identification requirements described in the HIPAA Privacy Rule. An added benefit of using one of these methods to de-identify health information is that the information or data sets created are no longer subject to the HIPAA Privacy Rule and do not fall within the definition of PHI.[2]
The “expert determination” method means that someone with appropriate knowledge and expertise in statistical and scientific principles applies these principles to de-identify health information. In using this method, the expert must determine that there is a very small risk that the remaining data could be used alone or in combination with other available information to identify the individual and document the methods and results of the determination.[3] The U.S. Department of Health and Human Services (HHS) has issued guidance about using the expert method of de-identifying health information.[4]
The “safe harbor” method requires an organization to remove 17 specific identifiers of the individual or relatives, employers, or household members using technology or manual labor. The specific identifiers that must be removed include names; dates including birth, death, services, discharge, etc.; mailing and email addresses; numbers including phone, fax, social security, medical records, health plan, account, license and certification, license plates, and vehicle identification; URLs and IP addresses; and full-face photographic images.[5]
While the first 17 identifiers listed under HIPAA are explicit, there is an 18th identifier, which is a “catch-all category” that is described as “any other unique identifying number or characteristic” or combination of data that may lead to the identification of an individual.[6] Examples of identifying information that may fall into this category include clinical trial record numbers and barcodes on medical records or prescriptions.[7] HHS provided additional guidance and examples of methods for de-identification of PHI.[8]Removing this identifier ensures that even if all explicit identifiers are removed, any remaining unique information that could still link the data to an individual is accounted for and removed.
This catch-all provision underscores the evolving nature of data and privacy concerns. As technology advances, new data sources and techniques may emerge that could potentially link de-identified data back to individuals. By including the 18th identifier, HIPAA protects patients despite new and unforeseen risks.