What is HIPAA 164.514?

45 CFR § 164.514 is a provision of the HIPAA Privacy Rule. HIPAA 164.514 imposes requirements on covered entities as to how they may use and disclose protected health information. HIPAA 164.514 provides rules for deidentification and reidentification of PHI. HIPAA 164.514 is discussed in greater detail below.

What is HIPAA 164.514: Deidentification

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for deidentification of protected health information. Health information that has been deidentified is no longer individually identifiable. In addition, there is no reasonable basis to believe that deidentified PHI can be used or pieced back together again to identify an individual.

HIPAA 164.514(b) and HIPAA 164.514(c) describe how a covered entity can meet the deidentification standard. 

Under HIPAA 164.514(b), a covered entity may use one of two methods to determine that health information is no longer PHI. The first method is known as the “expert determination” method, and the second method is known as the “safe harbor” method.

What is HIPAA 164.514: The “Expert Determination” Method

Under the expert determination method, a HIPAA covered entity or business associate must obtain an opinion from a qualified statistical expert that the risk of re-identifying an individual from a set of data is very small. The expert must document and justify the methods used to make the determination. The covered entity or business associate must maintain this documentation, and make it available to the Department of Health and Human Services (HHS) in the event of an audit or investigation.

Under HIPAA 164.514, the expert must be a person with specific knowledge and experience. The HIPAA 164.514 expert must have knowledge of, and experience with using, generally accepted statistical methods for removing or altering information to ensure that it is no longer individually identifiable.

The process of expert determination deidentification consists of the following.

“Very Small” Risk of Reidentification

The expert must define what a “very small” risk of re-identification is. HIPAA does not provide an actual numerical value for what a “very small risk” is. The expert must make the determination in a defensible way. The risk must be assessed in the specific context for which the deidentified data will be used or released. If a large amount of data needs to be deidentified from multiple storage devices, there may be a greater risk of reidentification than exists in the case of deidentification of a small data set.

Appropriate Metrics and Measure the Reidentification Risk

The expert must select the appropriate metrics and measure the reidentification risk. Measurement is based on three considerations:

Replicability. Replicability is the chance or probability that a given piece of PHI will be found in more than one storage system, or in multiple devices. PHI containing basic information such as name, date of birth, and Social Security number, has a greater likelihood of appearing across systems than does more relatively obscure information such as biometric information. Patients typically are not asked for biometric information as frequently as they are asked for this other information.

Data source availability. The expert must evaluate where PHI that must be deidentified is stored. Here, the expert takes into account who has access to PHI, and how the organization transmits PHI. The expert also evaluates how and whether data containing PHI is backed up. 

Distinguishability. Here, the expert analyzes data to determine how much a given piece of PHI “stands out” in data related to a patient. A doctor’s intake notes may contain background information, such as patient height and age. A notation that the patient has a rare blood disorder is information that stands out in relation to the record, meaning were someone to authorize that record without access, the person would be more likely to remember the fact of the blood disorder than the “background” information.

Data Must be Deidentified

The data must be deidentified. This can be done by using software and algorithms that separate protected health information from information that cannot identify someone. 

What is HIPAA 164.514: The “Safe Harbor” Method

Deidenfitication may also be accomplished using the more commonly used “safe harbor” method. Under the safe harbor method, the following identifiers of the individual or of relatives, employers, or household members of the individual, must be removed:

• Names;
• Geographic subdivisions smaller than a state;
• All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, and all ages over 89 years old);
• Telephone, cellphone, and fax numbers;
• Email addresses;
• IP addresses;
• Social Security numbers;
• Medical record numbers;
• Health plan beneficiary numbers or member ID numbers;
• Device identifiers and serial numbers;
• Certificate/license numbers;
• Credit card and bank account numbers;
• Vehicle identifiers and serial numbers including license plates;
• Website URLs;
• Full face photos and comparable images;
• Biometric identifiers (including finger and voice prints); and
• Any other unique identifying numbers, characteristics or codes.

Satisfying either method above would demonstrate that a covered entity has met the standard in §164.514(a) above. Deidentified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI.  

What is HIPAA 164.514: Reidentification

164.514(c) describes when an entity may take steps to reidentify information. A covered entity may assign a code or other means of record identification to allow information that has been deidentified to be reidentified, provided that:

• The code or other means of record identification is not derived from or related to information about the individual, and is not otherwise capable of being translated so as to identify the individual; and
• The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for reidentification.