The Office of Civil Rights yesterday published detailed guidance regarding the provisions in the HIPAA Privacy regulations that deal with de-identification of protected health information (PHI). The general idea of this provision is that healthcare data sets may be shared as long as the recipient is unable to identify the specific individuals involved. De-identification is routinely used by hospitals, researchers, government agencies and other healthcare organizations when sharing health information for purposes of medical research, policymaking, market share analysis, and other purposes. The HITECH Act required that OCR issue clarification on various HIPAA issues and this guidance fulfills that requirement.
Since the passage of HIPAA, privacy advocates have shown that even when removing identifying numbers such as name, address, social security number, and other identifying numbers, clever and resourceful use of other publically available data sets allows re-identification of information from “de-identified” data sets. For example, by correlating such “de-identified” data with publically available datasets, such as voter registration databases, it is possible to match on birthdate and gender to identify, with high probability, some of the information.
OCR’s guidance takes the form of 25 specific questions that explain the de-identification process in more detail, detail OCR’s view of how it would enforce the regulation, and a variety of specific questions and issues that have been raised. The guidance is available at OCR Guidance Regarding De-identification.