HIPAA Update: How to Turn Protected Health Information into Research Data

“HIPAA places tight restrictions on the use and disclosure of protected health information, but there are many ways to ‘de-identify’ it, freeing it from HIPAA’s constraints. Covered entities and business associates can use de-identification to reduce their exposure to HIPAA and expand their use of health data.” (Davis Wright Tremaine)

On November 26, 2012, the Health and Human Services Office for Civil Rights released guidance on how covered entities and business associates can “de-identify” protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

De-identification – stripping health information of specific data that connects back to the individual from whom it came – allows covered entities (and the medical community at large) to use the data in a variety of new ways. From the guidance:

“The increasing adoption of health information technologies in the United States accelerates their potential to facilitate beneficial studies that combine large, complex data sets from multiple sources. The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.”

For your reference, five takeaways:

1. There are two ways to de-identify the data:

“The Privacy Rule provides two methods by which health information can be de-identified: the ‘expert determination’ standard and the ‘safe harbor’ standard.” (Mintz Levin)

2. The guidance still leaves important questions unanswered:

“While providing a more detailed discussion of methodological issues associated with de-identification, this guidance falls short of establishing an approved approach to de-identification. As a result, it raises additional questions about the potential risks to a covered entity associated with release of de-identified information.” (Foley & Lardner)

3. Information de-identified by expert determination may be time-sensitive:

“[T]he Guidance notes that expert determinations may be time-limited, so that an expert determination made today with respect to a certain data set may need to be re-assessed in the future as increases in computational ability and the availability of additional data may render previously de-identified data identifiable at a later date.” (Saul Ewing)

4. The safe-harbor de-identification method is technically complex:

“The safe harbor method involves the removal of 18 identifiers and the covered entity not having actual knowledge that the resulting information can be used to identify an individual. The guidance makes plain how stringent this method can be, confirming that any element of a date more specific than a year that relates to an event may not be included.” (Davis Wright Tremaine)

5. Companies should obtain indemnification from data misuse by business associates:

“[C]overed entities may want to include provisions in their agreements with business associates that address the responsibility for adequately de-identifying data. Further, covered entities may want to evaluate the potential use of data use agreements for their organization as a means to provide some control over the secondary uses of de-identified data.” (Foley & Lardner)

The updates:

Follow @HIPAAWatch on Twitter>>