On Monday, the Office for Civil Rights released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule and as required by the American Recovery and Reinvestment Act of 2009.
HIPAA covered entities and business associates recognize the increasing risks related to handling "protected health information." One way to reduce these risks is through the "de-dentification" process. When performed correctly, de-identification causes the remaining information to no longer constitute "protected health information," and therefore no longer subject to the HIPAA privacy and security rules.
The OCR page provides greater detail, in question and answer format, concerning the two methods that can be used to satisfy the Privacy Rule’s de-identification standard:
- "Expert Determination" - a formal determination by a qualified expert.
- "Safe Harbor" - the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity (or business associate) that the remaining information could be used alone or in combination with other information to identify the individual.
Under either method, PHI is no longer protected by the Privacy Rule, but the remaining data has limited usefulness. However, the guidance also describes de-identification strategies that can minimize the loss of usefulness to the data. Of course, where de-identification is not practical, which is often the case, covered entities and business associates need to ensure compliance with HIPAA privacy and security rules.