De-Identification of PHI According to the HIPAA Privacy Rule

The two HHS-approved methods for the de-identification of PHI can aid in clinical research while ensuring HIPAA compliance and patient privacy.

De-identification of protected health information (PHI) can help researchers glean valuable insights about population health, aid in healthcare policymaking, and bolster other research ventures. Once PHI is de-identified and can no longer be traced back to an individual, it is no longer protected by the HIPAA Privacy Rule.

To meet the HIPAA Privacy Rule’s de-identification standard outlined in sections 164.514(b) and (c), covered entities must use one of two validated methods: expert determination or safe harbor. The first requires a formal determination by a qualified subject matter expert, while the latter requires the removal of 18 specified identifiers of PHI.

De-identified health data is often the backbone of clinical research and can facilitate scientific findings while protecting patient privacy.

It is crucial that healthcare organizations and medical researchers have a thorough understanding of both de-identification methods in order to remain HIPAA compliant and extract useful data.

The value of de-identified health data

The HIPAA Privacy Rule shields protected health information held by any covered entity or business associates in order to protect patient privacy. Covered entities include providers, healthcare clearinghouses, and health plans.

PHI consists of an individual’s past, present, or future physical or mental health condition, any healthcare services rendered to that individual, and any common identifiers that can be linked to health information. For example, medical records, hospital bills, and lab results are all PHI.

“The relationship with health information is fundamental. Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI,” HHS emphasizes on its website.

“For instance, if such information was reported as part of a publicly accessible data source, such as a phone book, then this information would not be PHI because it is not related to health. If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.”

Since large sets of health data can bolster clinical research and benefit the medical community, the HIPAA Privacy Rule permits a covered entity or business associate to de-identify data using specific standards and specifications.  

Both the expert determination and safe harbor methods can help covered entities untangle PHI from its HIPAA protections and share information with researchers.

“Both methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds,” HHS continues.

“Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.”

Expert determination method

The expert determination method requires covered entities to consult an expert “with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” in order to comply with the HIPAA Privacy Rule’s de-identification standard.

The expert must be able to determine that the risk of identifying an individual using the data, alone or in combination with other information, is extremely small. In addition, the expert must document their analysis thoroughly to ensure compliance.

The expert determination method allows individuals to extract key data points while still protecting patient privacy, but it is not as straightforward as it may seem.  

There is no expiration time for when data needs to be re-evaluated, and there is no universal solution used to address all privacy issues. In addition, HHS has strict guidelines on what education and professional experience the expert must have to engage in the process of de-identifying data. The Office for Civil Rights (OCR) makes individual determinations on who qualifies as an expert.

There is also no direction or numerical value on what constitutes a “very small” risk level. HHS reasons that the risk level must be assessed on a case-by-case basis, so it would be inappropriate to define a “very small” risk level.

Despite these concerns, some major organizations have adopted expert determination. For example, the  HITRUST De-Identification Framework provides a methodology for de-identifying data and managing risk.

“After review of multiple de-identification programs and methods, including those propounded by agencies in the United States, Canada, and the United Kingdom, the HITRUST De-Identification Working Group (DIWG) believed that no one method is appropriate for all organizations,” HITRUST continued.

“Instead, the DIWG has identified twelve criteria for a successful de-identification program and methodology that can be scaled for use with any organization.”

The expert determination method has the most potential in terms of extracting all critical data, but its lack of specificity makes it difficult to decipher.  

Safe harbor method

The safe harbor method under the HIPAA Privacy Rule de-identification standard requires covered entities or business associates to remove all 18 identifiers of PHI from data in order to ensure that the data cannot be traced back to one person.

The following identifiers transform health information into PHI under HIPAA:

  1. Names
  2. All geographic subdivisions smaller than a state (street address, city, county, zip code)
  3. Dates, including birthdate, admission date, discharge date, and date of death
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers; including fingerprints and voice
  17. Full face photos
  18. Any other unique identifying number, characteristic, or codes

Once all of those elements are removed from the data, HIPAA protections no longer apply.

“Of course, de-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances,” HHS acknowledges.

The biggest downside to the safe harbor method is its potential to remove so much valuable data that the information is no longer useful for research purposes.

Any derivatives of any of the listed identifiers cannot be used under the safe harbor method. For example, a document containing the last four digits of a Social Security number would not meet the deidentification requirement.

Covered entities may also wish to re-identify data at a later date. In order to prepare for re-identification, covered entities may assign a unique code to the dataset or specific records, only if the code is not derived from information about the individual, and the entity does not disclose the code or the mechanism for re-identification to any third party.

If the data is re-identified, it is once again considered PHI under HIPAA.

Although they are lacking in some specifics, both the safe harbor and expert determination methods are effective ways to extract valuable clinical insights while protecting patient privacy and maintaining HIPAA compliance.

Next Steps

Dig Deeper on HIPAA compliance and regulation