There are two ways a covered entity can comply with the HIPAA regulations regarding de-identification of protected health information (PHI) under Section 164.514(a) of the HIPAA Privacy Rule:
- Expert Determination, § 164.514(b)(1)
- Safe Harbor, § 164.514(b)(2)
Expert Determination and Safe Harbor
Under expert determination, an expert certifies that
… the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.
Under the so-called Safe Harbor provision, eighteen specific categories of information are removed from data. Some of these are obvious, such as names and social security numbers. Others, however, may be harder to remove, such as device serial numbers and biometric data. One of the most common reasons a set of data falls outside the Safe Harbor provisions is that it contains dates of service; without some kind of time information, the data loses its business value.
If a data set must contain one of the items excluded by the Safe Harbor provision, it may be still be considered adequately de-identified by the expert determination method if the data does not cause a high risk of identification.
If data cannot be considered de-identified directly, it’s often possible to modify data in a way that preserves privacy while retaining the usefulness of the data. For example, with differential privacy it is possible to add randomness to the data in just the right way so that individual records are obscured but statistical inferences from the data remain accurate.
If you would like the help of a statistician with experience helping companies comply with de-identification of PHI, please call or email to discuss your project. We’d be glad to help.
What does a project look like?
A project involves three steps:
- Discuss data and objectives
- Develop procedures
- Deliver final report
A typical project starts with a phone call to discuss your data and your objectives. Once we know what data fields we’re dealing with, we can estimate the size of the project. (At this point we don’t need to see your data per se, only a description of the data.)
We then come up with possible approaches for protecting privacy while addressing your business needs. This usually requires a few emails back and forth to discuss details and trade-offs.
Our final deliverable is a report of recommended procedures and an expert determination that as long as these procedures are followed there is little risk of re-identification.
Let’s get started
To get started, call or email to schedule a free initial consultation to discuss your data and your objectives.
Trusted consultants to some of the world’s leading companies