Under HIPAA 164.514, the expert must be a person with specific knowledge and experience. The HIPAA 164.514 expert must have knowledge of, and experience with using, generally accepted statistical methods for removing or altering information to ensure that it is no longer individually identifiable.
The process of expert determination deidentification consists of the following.
“Very Small” Risk of Reidentification
The expert must define what a “very small” risk of re-identification is. HIPAA does not provide an actual numerical value for what a “very small risk” is. The expert must make the determination in a defensible way. The risk must be assessed in the specific context for which the deidentified data will be used or released. If a large amount of data needs to be deidentified from multiple storage devices, there may be a greater risk of reidentification than exists in the case of deidentification of a small data set.
Appropriate Metrics and Measure the Reidentification Risk
The expert must select the appropriate metrics and measure the reidentification risk. Measurement is based on three considerations:
Replicability. Replicability is the chance or probability that a given piece of PHI will be found in more than one storage system, or in multiple devices. PHI containing basic information such as name, date of birth, and Social Security number, has a greater likelihood of appearing across systems than does more relatively obscure information such as biometric information. Patients typically are not asked for biometric information as frequently as they are asked for this other information.
Data source availability. The expert must evaluate where PHI that must be deidentified is stored. Here, the expert takes into account who has access to PHI, and how the organization transmits PHI. The expert also evaluates how and whether data containing PHI is backed up.
Distinguishability. Here, the expert analyzes data to determine how much a given piece of PHI “stands out” in data related to a patient. A doctor’s intake notes may contain background information, such as patient height and age. A notation that the patient has a rare blood disorder is information that stands out in relation to the record, meaning were someone to authorize that record without access, the person would be more likely to remember the fact of the blood disorder than the “background” information.
Data Must be Deidentified
The data must be deidentified. This can be done by using software and algorithms that separate protected health information from information that cannot identify someone.
What is HIPAA 164.514: The “Safe Harbor” Method
Deidenfitication may also be accomplished using the more commonly used “safe harbor” method. Under the safe harbor method, the following identifiers of the individual or of relatives, employers, or household members of the individual, must be removed:
- Geographic subdivisions smaller than a state;
- All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, and all ages over 89 years old);
- Telephone, cellphone, and fax numbers;
- Email addresses;
- IP addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers or member ID numbers;
- Device identifiers and serial numbers;