HIPAA Guidance on De-identification of Health Information

Yesterday, the HHS Office for Civil Rights released guidance regarding de-identification methods. The document is dated September 4, 2012.  A brief review does not reveal any huge surprises, and a lot of it re-states what is already apparent from the rules and preambles.  For example, the guidance indicates that:

• information indicating that an individual was treated at a certain clinic is protected health information (PHI)
• there are no specific professional degrees or certification programs required in order to designate someone as an "expert" who can determine that information has been rendered sufficiently de-identified
• experts may want to put an expiration date on their certifications, but this is not explicitly required
• the de-identification standard does not require that risk be assessed in any particular way
• codes derived from PHI may be disclosed as part of a de-identified data set if an expert determines that the data meets the de-identification standards
• data sets containing partial identifiers, such as patient initials or the last four digits of a Social Security number do not meet the requirements of the safe harbor method for de-identification
• dates associated with test measures, such as dates of lab reports, are PHI and, if included, the data set would not meet the safe harbor
• physician names could remain in a data set that meets the safe harbor

View the OCR guidance on de-identification methods.