A decision out of the Department of Health and Human Services, Monday, took a good first step toward achieving a better quality, less expensive health care system that carries the added benefit of better protections for individual patient health records. That move was the issuance of long overdue guidance for methods of de-identify data gleaned from public health records, as required by federal law.
Access to the vast amounts of health data increasingly available as the nation continues to roll out its all digital health information network will provide the opportunity for the kind of rigorous data analysis that is critical if the U.S. is to realize the promise of a lower cost, better quality health care system. It is just as critical that the privacy of the individuals from which that data is drawn is protected in a way that invokes trust in the system. This is where the new guidance comes into play.
The Office for Civil Rights (OCR) within HHS is responsible for researching and then publishing the best selected methods for de-identifying health data, in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. These new guidelines could help pave the way to greater reliance on using health data in de-identified form.
The guidance addresses a number of common questions about de-identification, including:
- Whether business associates are permitted to de-identify, and then use or disclose, de-identified data (brief answer: yes, but only to the extent such activity is authorized by their business associate agreement).
- Who is an “expert” qualified to de-identify health data using the statistical (or expert) method (brief answer: while no specific professional degree or certification is required, OCR will review the relevant experience or training of a statistical “expert” in an enforcement action).
- With respect to the Safe Harbor method, what is actual knowledge that the remaining information in the dataset could be used to re-identify patients? (brief answer: “clear and direct knowledge” that the information could be used to identify an individual; three examples are also provided in the guidance).
In the American Recovery and Reinvestment Act of 2009, Congress mandated that HHS
“issue guidance on how best to implement the requirements for de-identification” under the HIPAA Privacy Rule. However, OCR has broader responsibility to ensure de-identification remains a reliable tool for protecting individual privacy while ensuring the utility of health data for a range of important purposes. CDT has called for measures
to strengthen current de-identification policies – such as ensuring the integrity and viability of the Safe Harbor method in a rapidly changing data environment and protecting against unauthorized re-identification – and these recommendations go beyond what can be addressed in implementation guidance. We urge OCR to consider this report the first in a series of steps aimed at strengthening health data de-identification policies.
We also are disappointed with how long it took the Administration to release this guidance. Congress mandated that this study be completed by February 2010 (within a year of enactment of ARRA in February 2009). OCR held a workshop to gather stakeholder input on health data de-identification in March 2010, and this guidance was not released until nearly three years later.
As the nation moves rapidly to implement health reform and to achieve a higher performing, lower cost health care system, timely guidance on compliance with HIPAA will be key to providing the legal certainty needed to move forward on critical health data initiatives. Getting this right – and in time to assure successful implementation of HITECH and the Affordable Care Act - will require a much more nimble approach.