On November 26, 2012, the United States Department of Health and Human Services (HHS) Office of Civil Rights (OCR) published a guidance document discussing methods and approaches for de-identification of protected health information (PHI) as permitted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The document, which is titled “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (and is dated September 4, 2012), was published in response to a provision in the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requiring the Secretary of HHS (within 12 months of enactment) to provide guidance on the best ways to satisfy the HIPAA Privacy Rule de-identification requirements. To meet this requirement, OCR held a workshop on March 8-9, 2010 to discuss various issues and concerns surrounding the de-identification of PHI. The resulting guidance document summarizes a number of topics and issues discussed at the workshop. HHS published the guidance as a tool to assist covered entities in understanding the process of de-identification and the appropriate uses of de-identified information.
The HIPAA Privacy Rule established two acceptable methods for the de-identification of PHI: (1) formal determination by a qualified expert (“Expert Determination”) or (2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (“Safe Harbor”). The guidance document does not establish new de-identification methods; rather, the document provides detailed explanations and answers on how covered entities may better satisfy the two established methods. Additionally, the document provides guidance on how covered entities may use each of the methods when engaging in the de-identification of PHI maintained in paper or electronic records.
A copy of the guidance document is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.
Written by D’Andrea Morning, Senior Associate | Alston & Bird LLP