This entry is part 19 of 27 in the series HIPAA Audit Tips

On Monday, November 26 HHS / OCR issued what some call long-overdue “Guidance Regarding Methods for De-identification of Protected Health Information (PHI) in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule”.  I found the guidance not only a deep-dive into what might be considered arcane subject matter,  but also a great review of some foundational concepts about Privacy and PHI always helpful in preparing for audits or investigations.  Here’s today’s big tip – Have at least a scan at this De-Identification Guidance!

Guidance Regarding Methods for De-Identification of PHI in Accordance with the HIPAA Privacy Rule

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The guidance from the HHS Office for Civil Rights (OCR) outlines methods de-identification of PHI for secondary uses, including clinical effectiveness and quality of care improvements among other uses.  Once de-identified, it’s not longer PHI and, therefore, the information is not subject to the HIPAA Privacy and Security Rules.  You may download Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule here.

In developing this guidance, the Office for Civil Rights (OCR) solicited input from stakeholders with practical, technical and policy experience in de-identification in several forums in 2010.

Two Methods to Achieve The De-Identification of PHI

In the guidance, there are two methods discussed to de-identify PHI: 1) Expert Determination method (Section 2); and, 2) the Safe Harbor method (Section 3).

In 45 CFR §164.514(b), the Expert Determination method for de-identification is defined as follows:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination

In §164.514(b), the Safe Harbor method for de-identification is defined as the removal of the 18 identifiers of the individual or of relatives, employers, or household members of the individual, which are included in the definition of PHI.

Why The De-Identification of PHI

According to the guidance, “the increasing adoption of health information technologies in the United States accelerates their potential to facilitate beneficial studies that combine large, complex data sets from multiple sources. The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.”

Actions You Should Take Now to Prepare for OCR HIPAA Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan

Please feel free to contact us to benefit from our expertise and help you jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Key Points from OCR Head 12-13-2012 Talk in BostonHIPAA Audit Tips – HIPAA New Year 2013 Resolutions >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.