What is Protected Health Information Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI). 

The HIPAA Privacy Rule defines “Individually identifiable health information” as information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual

and that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

What is Required Under the Expert Determination Method?

Under the HIPAA Privacy Rule’s expert determination method for de-identifying PHI, a covered entity may determine that health information is de-identified only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and

(ii) Documents the methods and results of the analysis that justify such determination.

Essentially, under the expert determination method, a covered entity must use the services of a statistical expert. This expert, who must have knowledge of and experience with methods for de-identifying individually identifiable information, must, using his or her knowledge and experience, apply those methods to the information the covered entity claims is de-identified.

The expert, after applying the methods, must conclude that there is a very small risk that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.

In other words, the expert must conclude that there is a very small risk that the information the covered entity has attempted to deidentify, can be used, along or in conjunction with reasonably available data, by an anticipated recipient to reidentify a patient. An anticipated recipient is the entity to whom the covered entity seeks to disclose the information (i.e., a research institution, or another covered entity). 

If the expert has concluded that the risk is very small, the methods the expert relied on used to make that determination, and justification of the expert’s opinion,must be documented and retained by the covered entity. The Office of Civil Rights (OCR) may require that a covered entity provide it with this documentation during the course of an audit or investigation. 

Who Qualifies as an Expert?

There is no specific professional degree or certification program for designating who is an expert at rendering health information de-identified.  An individual may gain the required expertise through various routes of education and experience. Experts may be found in the statistical, mathematical, or other scientific fields. From an enforcement perspective, OCR, during an audit or investigation, will review the relevant professional experience and academic or other training of the expert used by the covered entity. OCR will also review the actual experience of the expert using health information de-identification methodologies.

What Constitutes a “Very Small” Risk?

As noted above, under the expert determination for PHI de-identification, the expert must conclude determines that the risk of reidentification is “very small.” The HIPAA Privacy Rule does not contain an explicit numerical level of identification risk that is deemed to universally meet the “very small” level indicated by the method.  This is because the ability of a recipient of information to identify an individual (i.e., subject of the information) is dependent on many factors, which an expert will need to take into account while assessing the risk from a data set. 

The risk of identification that has been determined for one particular set of data in the context of a specific environment, may not be appropriate for the same set of data in a different environment or a different data set in the same environment. 

As a result, an expert, under the HIPAA Privacy Rule, will define an acceptable “very small” risk based on the ability of an anticipated recipient to identify an individual. 

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain their HIPAA compliance!