New HIPAA guidance on de-identification and the mysterious “expert determination” method

The Office for Civil Rights (OCR) released new guidance on November 26, 2012, that elaborates on HIPAA’s data de-identification standards. Under the HIPAA Privacy Rule, there are two ways that health information can be de-identified and therefore no longer considered Protected Health Information (PHI):

  1. Remove all 18 listed identifiers (the “safe harbor” method); or
  2. Obtain confirmation from a qualified statistician that the risk of identification is very small (the “expert determination” method).

Most researchers are familiar with the first method, but the Institutional Review Board (IRB) rarely sees submissions in which data have been de-identified using the second method.  Until the release of the new guidance, there was very little information available about how this method should work in practice.

The expert determination method can be used when it is not preferable to remove all 18 of the listed identifiers and there is a very small risk that, based on the retained identifiers, the information could be linked to an individual by the anticipated recipient(s). An example might be a data set that contains the combination of subject age over 89 and a diagnosis that is relatively common in persons over age 89. Without more information about each subject, it may be highly unlikely that an individual in the data set could be identified.

A few important points from the guidance about the expert determination method include:

  • There is not a one-size-fits-all approach to the analysis. The appropriateness of the expert’s qualifications and the methods used will depend on the characteristics of the data set and the surrounding context.
  • The risk of identification must be “very small,” but there is not a corresponding numerical value.  This determination depends on multiple factors, including the environment in which the data set exists and the anticipated recipients of the information.
  • The statistical analysis must account for the possibility that someone looking at the data set could match the information with other publicly available data to identify an individual.

The guidance gives practical advice for researchers seeking to de-identify health information using either method, so please take a look at it if you are attempting to remove identifiers from a data set. The IRB is happy to answer questions. Feel free to give us a call at 503-494-7887, option 1.