• E-mail
• Print
• RSS

What is de-identified health information?

HIPAA Weekly Advisor, January 20, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: What is de-identified health information?

A: De-identified health information is information that there is no reasonable basis to believe can be used to identify an individual.

De-identified health information is not considered protected health information (PHI) and thus, is not subject to the HIPAA privacy regulations.

Information is considered de-identified if it meets either of the following two criteria:

• A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information, and documents the methods and results of the analysis that justify such determination
• The information is stripped of all identifying information, and the covered entity does not have actual knowledge that the information could be used alone or in combination with other documents to identify the subject of the information

The HHS commentary states that although guidance will change over time to keep up with technology and the availability of public information from other sources, it approves as a starting point use of the following as guidance to such generally accepted statistical and scientific principles and methods:

• Statistical Policy Working Paper 22 - Report on Statistical Disclosure Limitation Methodology: http://www.fcsm.gov/working-papers/wp22.html (prepared by the Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology, Office of Management and Budget)
• Checklist on Disclosure Potential of Proposed Data Releases: http://www.fcsm.gov/committees/cdac (prepared by the Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology, Office of Management and Budget)

The regulations allow a covered entity to assign a code or other means of record identification to allow the covered entity to re-identify de-identified information, provided that:

• The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated to identify the individual
• The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification

Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP (http://www.bricker.com) and The Quality Management Consulting Group, Ltd. (http://www.qmcg.com. E-mail: mbaxter@bricker.com or gmcbeath@bricker.com.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive