What is HIPAA 164.514?

45 CFR § 164.514 is a provision of the HIPAA Privacy Rule. HIPAA 164.514 imposes requirements on covered entities as to how they may use and disclose protected health information. HIPAA 164.514 provides rules for deidentification and reidentification of PHI. HIPAA 164.514 is discussed in greater detail below.

What is HIPAA 164.514: Deidentification

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for deidentification of protected health information. Health information that has been deidentified is no longer individually identifiable. In addition, there is no reasonable basis to believe that deidentified PHI can be used or pieced back together again to identify an individual.

HIPAA 164.514

HIPAA 164.514(b) and HIPAA 164.514(c) describe how a covered entity can meet the deidentification standard

Under HIPAA 164.514(b), a covered entity may use one of two methods to determine that health information is no longer PHI. The first method is known as the “expert determination” method, and the second method is known as the “safe harbor” method.

What is HIPAA 164.514: The “Expert Determination” Method

Under the expert determination method, a HIPAA covered entity or business associate must obtain an opinion from a qualified statistical expert that the risk of re-identifying an individual from a set of data is very small. The expert must document and justify the methods used to make the determination. The covered entity or business associate must maintain this documentation, and make it available to the Department of Health and Human Services (HHS) in the event of an audit or investigation.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Under HIPAA 164.514, the expert must be a person with specific knowledge and experience. The HIPAA 164.514 expert must have knowledge of, and experience with using, generally accepted statistical methods for removing or altering information to ensure that it is no longer individually identifiable.

The process of expert determination deidentification consists of the following.

“Very Small” Risk of Reidentification

The expert must define what a “very small” risk of re-identification is. HIPAA does not provide an actual numerical value for what a “very small risk” is. The expert must make the determination in a defensible way. The risk must be assessed in the specific context for which the deidentified data will be used or released. If a large amount of data needs to be deidentified from multiple storage devices, there may be a greater risk of reidentification than exists in the case of deidentification of a small data set.

Appropriate Metrics and Measure the Reidentification Risk

The expert must select the appropriate metrics and measure the reidentification risk. Measurement is based on three considerations:

Replicability. Replicability is the chance or probability that a given piece of PHI will be found in more than one storage system, or in multiple devices. PHI containing basic information such as name, date of birth, and Social Security number, has a greater likelihood of appearing across systems than does more relatively obscure information such as biometric information. Patients typically are not asked for biometric information as frequently as they are asked for this other information.

Data source availability. The expert must evaluate where PHI that must be deidentified is stored. Here, the expert takes into account who has access to PHI, and how the organization transmits PHI. The expert also evaluates how and whether data containing PHI is backed up. 

Distinguishability. Here, the expert analyzes data to determine how much a given piece of PHI “stands out” in data related to a patient. A doctor’s intake notes may contain background information, such as patient height and age. A notation that the patient has a rare blood disorder is information that stands out in relation to the record, meaning were someone to authorize that record without access, the person would be more likely to remember the fact of the blood disorder than the “background” information.

Data Must be Deidentified

The data must be deidentified. This can be done by using software and algorithms that separate protected health information from information that cannot identify someone. 

What is HIPAA 164.514: The “Safe Harbor” Method

Deidenfitication may also be accomplished using the more commonly used “safe harbor” method. Under the safe harbor method, the following identifiers of the individual or of relatives, employers, or household members of the individual, must be removed:

  • Names;
  • Geographic subdivisions smaller than a state;
  • All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, and all ages over 89 years old);
  • Telephone, cellphone, and fax numbers;
  • Email addresses;
  • IP addresses;
  • Social Security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers or member ID numbers;
  • Device identifiers and serial numbers;