Guidance Issued on De-identifying Protected Health Information

The Office of Civil Rights (OCR) has published a guidance document for methods to de-identify PHI. The guide, “Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule”provides detailed explanations and answers questions regarding the two methods that can be used to satisfy the Privacy Rule’s de-identification standard: Expert Determination and Safe Harbor. The guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual.

Sections 164.514(b) of the Privacy Rule provides the implementation specifications that a covered entity must follow to meet the de-identification standard. Section 164.541(b)(1)of the Privacy Rule provides criteria for the Expert Determination method and section 164.514(b)(2)provides criteria for the Safe Harbor method.

The Expert Determination method requires a person(s) with appropriate knowledge and experience with statistical and scientific principles and methods for rendering PHI unidentifiable applies such principles and methods to determine there is a very small risk that the individual in PHI could be identified. The Safe Harbor method applies the removal of 18 types of identifies whereby the individual cannot be identified by the residual information.

Satisfying either method would demonstrate that a covered entity has met the standard for

de-identifying PHI. De-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI.

Click Here to access the guidance document.