November 27, 2012

HIPAA Guidance on De-identification of Health Information

Holland & Knight Privacy Blog
Shannon Britton Hartsfield

Yesterday, the HHS Office for Civil Rights released guidance regarding de-identification methods. The document is dated September 4, 2012.  A brief review does not reveal any huge surprises, and a lot of it re-states what is already apparent from the rules and preambles.  For example, the guidance indicates that:

  • information indicating that an individual was treated at a certain clinic is protected health information (PHI)
  • there are no specific professional degrees or certification programs required in order to designate someone as an "expert" who can determine that information has been rendered sufficiently de-identified
  • experts may want to put an expiration date on their certifications, but this is not explicitly required
  • the de-identification standard does not require that risk be assessed in any particular way
  • codes derived from PHI may be disclosed as part of a de-identified data set if an expert determines that the data meets the de-identification standards
  • data sets containing partial identifiers, such as patient initials or the last four digits of a Social Security number do not meet the requirements of the safe harbor method for de-identification
  • dates associated with test measures, such as dates of lab reports, are PHI and, if included, the data set would not meet the safe harbor
  • physician names could remain in a data set that meets the safe harbor

View the OCR guidance on de-identification methods.

Related Insights