The Office for Civil Rights at HHS has published an online guide for healthcare providers and other HIPAA-covered entities and their business associates on de-identifying medical records for research and other secondary uses.
The advice in "Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule"
runs to 16 pages when printed.
It walks holders of medical records down twin paths toward de-identification of patient-identifiable medical records to a sufficient degree that the records can be shared with researchers without running afoul of the sharing organizations' obligations to protect patient privacy under HIPAA, according to the Office for Civil Rights, which is charged with enforcing the HIPAA privacy and security rules.
One path is a "formal determination by qualified expert" that the risk of identifying individual patients from their shared records is "very small." The other path calls for the removal "of specified identifiers as well as the absence of actual knowledge" by the organization releasing the records "that the remaining information could be used alone or in combination with other information to identify the individual."
The guidance appears to still leave a lot to providers' discretion.
For example, "qualified expert" remains undefined, as do the methods an expert might use to determine whether the data is sufficiently protected. What constitutes a "very small" risk remains not quantified and undefined as well.
Stripping the data of the HIPAA-specified 18 identifiers also still allows variability, particularly with dates and ZIP codes, as does the caveat that a provider must have "actual knowledge" of techniques being used to re-identify the shared information.
For example, one section of the guidance poses the following question: "If a covered entity knows of specific studies about methods to re-identify health information or use de-identified health information alone or in combination with other information to identify an individual, does this necessarily mean a covered entity has actual knowledge under the safe-harbor method?"
The answer is no, according to the Office for Civil Rights' new guidance. Although "much has been written" about these means of re-identification of data by joining de-identified medical records with databases obtainable from other sources, a covered entity's awareness that such techniques exist doesn't by itself mean that the organization "has 'actual knowledge' that these methods would be used with the data it is disclosing."
The Office for Civil Rights “does not expect a covered entity to presume such capacities of all potential recipients of de-identified data," the office said in the guide. "This would not be consistent with the intent of the safe-harbor method, which was to provide covered entities with a simple method to determine if the information is adequately de-identified."