De-Identification of PHI under HIPAA: Follow the Guidance to Avoid Penalties
Health information is afforded all kinds of protections under the HIPAA regulations but once the information is de-identified, it is no longer protected under HIPAA and can be used or disclosed without limitation. The problem is, de-identification of PHI is harder than it looks. Even if all the identifiers listed in the rules are removed, the context of information and other external factors can reveal the identity of the subject. Following the guidance provided by HHS and the National Institute of Standards and Technology (NIST) is essential to avoiding inappropriate disclosures that may reveal a patient's identity and result in fines.
In some cases, it may be possible to share the needed information more easily once it has been properly de-identified. While releasing information for research purposes may call for a HIPAA Authorization from each patient or approval by review boards and stringent controls on the information, if the research can be done without the identifying data, such Authorizations are reviews are not necessary.
But truly de-identifying information is not a simple or foolproof process. Oftentimes the context of the information or the uniqueness of information can give away the identity. If information is not properly de-identified and released inappropriately as a result, it can result in fines and corrective action plans that can reach into the millions of dollars. The right process needs to be followed to ensure that data that is shared is shared appropriately, either as identifiable information, as a partially de-identified Limited Data Set, or as properly de-identified information.
This session will review guidance from the HHS Office for Civil Rights (OCR) and from the National Institute of Standards and Technology (NIST) about how to properly de-identify health information. The various needs for de-identified information will be discussed and typical questions covered in the guidance will be discussed, in order to provide a sound, defensible basis for an organization’s decisions and processes surrounding de-identification of PHI. We will also explore the concepts and methods of de-identification and many of the typical questions that arise.
Why should you attend? Attendees will be able to go forward with de-identification with greater confidence, and better sharing of information will be possible.
- Understand the rules surrounding de-identification of Protected Health Information (PHI) information under HIPAA.
- Know what are likely to be acceptable or unacceptable codes to use for de-identifying and re-identifying patient information.
- Understand when a Limited Data Set may be disclosed, and the precautions that must be taken to do so.
- Understand how the expert determination and safe harbor methods work to de-identify PHI, and when each may be more appropriate.
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Sheldon-Dean has more than 18 years of experience specializing in HIPAA compliance, more than 36 years of experience in policy analysis and implementation, business process analysis, information systems and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.