After two years, OCR recently released its Guidance Regarding Methods for De-Identification of PHI in Accordance with HIPAA. The guidance is designed to help covered entities understand de-identification, how protected health information is de-identified, and the options available for correctly performing de-identification. De-identification removes identifiers from PHI and reduces privacy risks to individuals allowing the secondary uses of data for other purposes. Importantly, once PHI has been appropriately de-identified it is no longer considered PHI. Currently, under HIPAA, Sec. 164.514, there are two methods by which PHI can be de-identified: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers (18) in conjunction with the lack of knowledge by the covered entity that the remaining information could be used alone or in combination with other information to re-identify individuals.
The Guidance delves into the two options for de-identification. It includes specific details on how to satisfy the expert determination method and what is called the “safe harbor method,” which is the removal of 18 specific identifiers. The Guidance includes Q&A as well as specific examples to help guide covered entities and business associates.
De-identification can be an important tool for both covered entities and business associates, but if performed incorrectly it could lead to serious breach potential. For more information on HIPAA and how to correctly de-identify PHI please contact Elana Zana or Dave Schoolcraft.