OCR Releases Guidance on “De-Identification” of PHI under HIPAA

On Monday, the Office for Civil Rightsreleased guidance regarding methods for de-identification of protected health information (PHI)in accordance with the HIPAA Privacy Rule and as required by theAmerican Recovery and Reinvestment Act of 2009.

HIPAA covered entities and business associates recognize the increasing risks related tohandling "protected health information." One way to reduce these risks is through the "de-dentification" process. When performed correctly, de-identification causes the remaining information to no longer constitute "protected health information," andtherefore nolonger subject to the HIPAA privacy and security rules.

The OCR page provides greater detail, in question and answer format, concerningthe two methods that can be used to satisfy the Privacy Rule’s de-identification standard:

  • "Expert Determination" – a formal determination by a qualified expert.
  • "Safe Harbor" –the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity (or business associate) that the remaining information could be used alone or in combination with other information to identify the individual.

Under either method,PHI is no longer protected by the Privacy Rule,but the remaining data has limitedusefulness. However, the guidance alsodescribesde-identification strategies that can minimize the loss of usefulness to the data. Of course, where de-identification isnot practical,which is often the case, covered entities and business associates need to ensure compliance with HIPAAprivacy and security rules.