Safeguarding Personal Health Information: HIPAA Rules on De-Identification

HIPAA and De-Identification of PHI
Sometimes Required, Never Easy
Jim Sheldon-Dean
Director of Compliance Services
Lewis Creek Systems, LLC
www.lewiscreeksystems.com
1
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com

Agenda
• The HIPAA Requirements for De-identification
• De-identification and its Rationale
• The De-identification Standard
• Preparation for De-identification
• Guidance on Satisfying the Expert Determination Method
• Who is an expert, and how do experts assess and mitigate the
risk of identification of an individual in health information
• Guidance on Satisfying the Safe Harbor Method
• What are examples of dates that are not permitted
• What constitutes "any other unique identifying number,
characteristic, or code”
• What is "actual knowledge that the remaining information could
be used either alone or in combination with other information to
identify an individual who is a subject of the information.”
• Q&A
2

HIPAA Privacy, Security, & Breach Rules
• Privacy Rule
– 45 CFR §164.5xx; Enforceable since 2003
– Establishes Rights of Individuals
– Controls on Uses and Disclosures
– Access of PHI is a hot button issue for HHS – FORTY-THREE settlements so far
recently in HHS OCR Right of Access initiative
• Security Rule
– 45 CFR §164.3xx; Enforceable since 2005
– Applies to all electronic PHI
– Flexible, customizable approach to health information security
– Uses Risk Analysis to identify and plan the mitigation of security risks
• Breach Notification Rule
– 45 CFR §164.4xx; Enforceable since February 2010
– Requires reporting of all PHI breaches to HHS and individuals
– Extensive/expensive obligations
– Provides examples of what not to do on the HHS “Wall of Shame”:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
3

PHI, Uses, and Disclosures
➢ Protected Health Information (PHI): Individually identifiable
information about health, health care or payment for
healthcare services; past, present, future; in any form or
format
➢ If PHI is truly de-identified it is no longer considered PHI but
that’s not easy to do properly
➢ Disclosure: the release, transfer, provision of, access to, or
divulging in any other manner of information outside the
entity holding the information
➢ Use: the sharing, employment, application, utilization,
examination, or analysis of individually identifiable health
information within an entity that maintains such information
4

Required & Permitted Uses & Disclosures
• MUST disclose:
– To HHS for compliance purposes
– To the individual (with limited exceptions)
• MAY use or disclose for:
– Treatment, Payment, and Healthcare Operations, with notice or in
emergencies
– Any purpose with an Authorization
– Directories, with opt-out
– For public good
– Subject to court orders
• Consider Minimum Necessary, except when requested by a
provider, the individual, or according to an Authorization
5

Allowable Disclosures, no permission needed
• Required by Law
• Public Health Activities
• Victims of Abuse, Neglect, or Domestic Violence
• Health Oversight
• Judicial and Administrative Proceedings
• Law Enforcement Activities
• Decedent Information, Organ Donation
• Research
• Serious Threat to Health or Safety
• Specialized Government Functions
• Worker’s Compensation
6

De-Identified Data:
The HIPAA Personal Identifiers
• Name
• Address including city and
zip code
• Telephone number
• Fax number
• E-mail address
• Social security number
• Date of birth
• Medical record number
• Health plan ID number
• Dates of treatment
• Account number
• Certificate/license number
• Device identifiers and serial number
• Vehicle identifiers and serial number
• URL
• IP address
• Biometric identifiers including finger
prints
• Full face photo and other
comparable image
• Or anything else that might be used
to identify the individual
7

Guidance on De-identification
• HHS’s guidance from 2012 on De-identification of PHI
http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/un
derstanding/coveredentities/De-
identification/hhs_deid_guidance.pdf
• NIST IR 8053, released December 17, 2015, a report on De-
Identification of Personal Information
http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf
– Summarizes de-identification research
– Discusses current practices, including discussion of HIPAA
methods for de-identification, and the effectiveness of the HIPAA
Safe Harbor method
8

Two Methods of De-Identification
1. Remove all eighteen personal identifiers of subject,
relatives, employer, or household members; or
2. Biostatistician confirms that individual cannot be
identified.
• Verify data cannot be identified
• Small sample sets, unique data hard to de-identify
• De-Identified PHI is no longer PHI and need not be
protected or accounted for
9

De-identifying Photographs and Video
• Identifying data that was generated by the camera when a photo or
video was taken may be in embedded metadata in the image file
• Even if not in metadata, the circumstances and timing of the
appearance of photos and video, and the uniqueness of images can
identify the individuals
• When de-identifying, consider:
– The precision and accuracy of identifying objects requiring de-
identification
– The reversibility of the transformation – is it really, actually de-
identified? Or is the data still there?
– The visual quality of the resulting imagery
– The effectiveness of the chosen identity obscuring techniques in
actually obscuring identity
10

De-identification and Breaches
• Following HIPAA requirements for de-identified
data and Limited Data Sets limits breach exposure
• Securing the data limits breach exposure
• Require Protection and Prohibit re-identification of
data in data use agreements, for both:
– De-identified PHI
– Limited Data Sets
11

HIPAA Tiered Penalty Structure
12
• Tier 1: Did not know and, with reasonable diligence, would not have known
– $114 - $57,051 per violation, $28,525 annual max (may use an Affirmative
Defense)
• Tier 2: Violation due to reasonable cause and not willful neglect
– $1,141 - $57,051 per violation, $114,102 annual maximum (may get a Waiver)
• Willful Neglect: Conscious, intentional failure or reckless indifference to the
obligation to comply with the administrative simplification provision violated
• Tier 3: Violation due to willful neglect and corrected within 30 days of when
known or should have been known with reasonable diligence
– $11,182 - $57,051 per violation, $285,255 annual maximum
• Tier 4: Violation due to willful neglect and NOT corrected within 30 days of
when known or should have been known with reasonable diligence
– $57,051 per violation, $1,711, 533 annual maximum
• See the HHS OCR enforcement pages: http://www.hhs.gov/hipaa/for-
professionals/compliance-enforcement

13
Your to-do list…
✓ Review how you use and share PHI
✓ Look for invalid pseudonymization, such as using
patient initials as a name substitute
✓ For insecure communications, use a private code
✓ Call on a professional if you are not sure!
✓ Think through the context of information – where
did it come from and when?
✓ Verify that your procedures and processes are being
followed and actually work
✓ Be prepared for breaches, just in case
✓ Keep improving your processes and verification

Thank you!
Any Questions?
For additional information, please contact:
Jim Sheldon-Dean
Lewis Creek Systems, LLC
5675 Spear Street, Charlotte, VT 05445
jim@lewiscreeksystems.com
www.lewiscreeksystems.com
14
Register Now!!!

Safeguarding Personal Health Information: HIPAA Rules on De-Identification

Recommended

Recommended

More Related Content

Similar to Safeguarding Personal Health Information: HIPAA Rules on De-Identification

Similar to Safeguarding Personal Health Information: HIPAA Rules on De-Identification (20)

More from Conference Panel

More from Conference Panel (20)

Recently uploaded

Recently uploaded (20)

Safeguarding Personal Health Information: HIPAA Rules on De-Identification