There are two ways to comply with the HIPAA regulations regarding de-identification of protected health information (PHI) under Section 164.514(a) of the HIPAA Privacy Rule:
- Expert Determination, § 164.514(b)(1)
- Safe Harbor, § 164.514(b)(2)
Under expert determination, an expert certifies that
… the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.
Under the so-called Safe Harbor provision, eighteen specific categories of information are removed from data. Some of these are obvious, such as names and social security numbers. Others, however, may be harder to remove, such as device serial numbers and biometric data. One of the most common reason data falls outside the Safe Harbor provisions is dates of service; without some kind of time information, a lot of data loses its business value.
If a data set must contain one of the items excluded by the Safe Harbor provision, it may be still be considered adequately de-identified by the expert determination method if the data does not cause a high risk of identification.
If data cannot be considered de-identified directly, it’s often possible to modify data in a way that preserves privacy while retaining the usefulness of the data. For example, with differential privacy it is possible to add randomness to the data in just the right way so that individual records are obscured but statistical inferences from the data remain accurate.
If you would like the help of a statistician with experience helping companies comply with deidentification of protected health information, please call or email to discuss your project. We’d be glad to help.
Trusted consultants to some of the world’s leading companies