Tuesday, November 27, 2012

HIPAA De-Identification Guidance from HHS OCR

The Office of Civil Rights ("OCR") of the U.S. Department of Health and Human Services recently issued guidance for appropriate ways to de-identify (remove personally identifiable information from) electronically stored health records. De-identification is required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy Rule in order to permit scientific analyses and other publicly beneficial uses of health records without violating the privacy of the patients whose health information is being shared for analysis. Section 164.514(b) of the HIPAA privacy rule provides two methods for de-identification: Expert Determination and the so-called "Safe Harbor."

It can be challenging, though, to completely de-identify any health information, since those with other sources of information may be able to combine those databases with the de-identified data to "re-identify" individual patients. (In a non-health context, this was demonstrated in 2006 after AOL released a supposedly anonymized search query database of its users, and reporters were able to positively identify at least one user by her particular searches.) With its latest guidance (which can be downloaded here), OCR answers questions about the use and limitations of its approved de-identification methods.

(via IAPP)

No comments:

Post a Comment