OCR Releases Guide for De-Identifying Patient Health Information

Recommends Two Methods for De-Identifying PHI

The Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) and oversees health information privacy in the Department of Health and Human Services (HHS). Under the HITECH Act of 2009 HIPAA was strengthened, requiring HHS to issue guidance on how best to implement the requirements for the de-identification of health information. In March of 2010 a workgroup was established to address this issue. On Monday, the OCR finally published the recommendations of this workgroup in a guide to help healthcare providers and other HIPAA-covered entities and business associates understand what methods to use for de-identifying health information.

De-identification is the process of stripping protected health information of any and all data that might allow identification of the source of the data for research and other purposes. the guide outlines protected health information as demographic information related to:

  • Past, present, or future physical or mental health or condition
  • Provision of health care to the individual
  • Past, present, or future payment for the provision of health care to the individual
  • Any other basis by which an individual could be identified including name, address, birth date, and social security number

Increased use and adoption of health information technologies has accelerated threats to PHI as studies become larger and more complex, using data sets from multiple sources. The electronic health record environment creates additional concerns as some EHR vendors use or sell de-identified information.

[Related Article: Why Should You Care about De-Identified Information?]

Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule explains and answers questions regarding the two methods to be used to satisfy the Privacy Rule‘s de-identification standard: Expert Determination and Safe Harbor.

The Expert Determination method requires that an expert on statistical and scientific principles and methods determines that the risk of the protected health information used alone or in combination with other available information is very small.  The expert must document their methods and analysis used to support the determination.  The Safe Harbor method requires the removal of up to 18 types of PHI identifiers (name, address, phone, social security, medical record numbers, etc.)


The OCR document provides specific details on the process of satisfying both methods. View the full OCR document here.