There are two ways to comply with the HIPAA regulations regarding de-identification of protected health information (PHI) under Section 164.514(a) of the HIPAA Privacy Rule:
- Expert Determination, § 164.514(b)(1)
- Safe Harbor, § 164.514(b)(2)
Under expert determination, an expert certifies that
… the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.
Under the so-called Safe Harbor provision, eighteen specific categories of information are removed from data. Some of these are obvious, such as names and social security numbers. Others, however, may be harder to remove, such as device serial numbers and biometric data. If a data set contains a license number, for example, then it does not fall under the Safe Harbor provision. If a data set must contain one of the items excluded by the Safe Harbor provision, it may be still be considered adequately de-identified by the expert determination method if the data does not cause a high risk of identification.
If you would like the help of a statistician with experience helping companies comply with deidentification of protected health information, please call or email to discuss your project.