Removing identifying information from patient data so that data cannot be linked to a specific person, mitigates privacy risks to individuals and reduces risk to the organization by minimizing the potential for data breaches. There is also no requirement to obtain authorizations/consents for use of de-identified data. De-identification thereby supports the secondary use of data for life sciences research as well as quality assurance, comparative effectiveness studies, precision medicine initiatives and other endeavors. De-identification attempts to balance the contradictory goals of using and sharing personal information while protecting privacy. Please note, use of de-identified data for Human Subject research, will still generally need IRB review.
The HIPAA Privacy Rule and associated guidance provides two methods for de-identification of health information:
- Expert Determination Method: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
- Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
- Documents the methods and results of the analysis that justify such determination.
- Safe Harbor Method: (i) The 18 identifiers defined in the HIPAA Privacy Rule (45 CFR 164.514(b)(2)) as they pertain to the individual (or of relatives, employers, or household members of the individual) are removed and (ii) the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information
De-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances. This is particularly true for the safe harbor method which utilizes a strict, inflexible approach. The expert method takes a risk-based approach that applies current standards and best practices from de-identification research.
