On Monday, November 26 HHS / OCR issued what some call long-overdue “Guidance Regarding Methods for De-identification of Protected Health Information (PHI) in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule”. I found the guidance not only a deep-dive into what might be considered arcane subject matter, but also a great review of some foundational concepts about Privacy and PHI always helpful in preparing for audits or investigations. Here’s today’s big tip – Have at least a scan at this De-Identification Guidance!
Guidance Regarding Methods for De-Identification of PHI in Accordance with the HIPAA Privacy Rule
The guidance from the HHS Office for Civil Rights (OCR) outlines methods de-identification of PHI for secondary uses, including clinical effectiveness and quality of care improvements among other uses. Once de-identified, it’s not longer PHI and, therefore, the information is not subject to the HIPAA Privacy and Security Rules. You may download Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule here.
In developing this guidance, the Office for Civil Rights (OCR) solicited input from stakeholders with practical, technical and policy experience in de-identification in several forums in 2010.
Two Methods to Achieve The De-Identification of PHI
In the guidance, there are two methods discussed to de-identify PHI: 1) Expert Determination method (Section 2); and, 2) the Safe Harbor method (Section 3).
In 45 CFR §164.514(b), the Expert Determination method for de-identification is defined as follows:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination
In §164.514(b), the Safe Harbor method for de-identification is defined as the removal of the 18 identifiers of the individual or of relatives, employers, or household members of the individual, which are included in the definition of PHI.
Why The De-Identification of PHI
According to the guidance, “the increasing adoption of health information technologies in the United States accelerates their potential to facilitate beneficial studies that combine large, complex data sets from multiple sources. The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.”
Actions You Should Take Now to Prepare for OCR HIPAA Audits
We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:
- Establish a formal Privacy and Security Risk Management & Governance Program (45 CFR § 164.308(a)(1))
- Complete a HIPAA Security Evaluation (45 CFR § 164.308(a)(8))
- Complete a Privacy Rule compliance assessment (45 CFR §164.530)
- Complete a Breach Rule compliance assessment (45 CFR §164.400)
- Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
- Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
- Document and act upon a corrective action plan
Please feel free to contact us to benefit from our expertise and help you jump-start your program.
Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.
Wanna be even more ready for an audit or hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Subscribing to our eNewsletter: https://clearwatercompliance.com/resources/newsletters/
- Checking our company web site: http://clearwatercompliance.com/
- Attending a HIPAA HITECH live webinar: http://abouthipaa.com/webinars/upcoming-live-webinars/
- Viewing a pre-recorded webinar: http://abouthipaa.com/webinars/on-demand-webinars/
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016