OCR: No fail-safe for de-identifying patient info

Expert determination, safe harbor are not completely secure
Tools

Neither the expert determination method nor the safe harbor method of de-identifying patient data are 100 percent effective, according to new guidance released this week by the U.S. Department of Health & Human Services' Office for Civil Rights. While both methods can lower the risk of re-identifying data to miniscule levels, neither are completely secure, OCR officials write.

"There is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds," the guidance says.

For the expert determination method, a person deemed an expert--a.k.a, someone "with appropriate knowledge of and experience with generally accepted statistical and scientific principles for rendering information not individually identifiable"--uses their expertise to measure the risk of re-identification for certain sets of data. In a blog post written this week by FierceHealthIT Advisory Board member David Harlow, Harlow says it's worth noting that OCR says that expert determinations should only be valid for a finite amount of time.

"Experts have recognized that technology, social conditions and the availability of information changes over time," OCR officials write. "Consequently, certain de-identification practitioners use the approach of time-limited certifications. … Information that had previously been de-identified may still be adequately de-identified when the certification limit has been reached. OCR continued, "Covered entities will need to have an expert examine whether future releases of the data to the same recipient should be subject to additional or different de-identification processes consistent with current conditions to reach the very low risk requirement."

For the safe harbor method, all specific identifying information about individuals--names, addresses, Social Security and medical record numbers, treatment dates, etc.--is removed from data used.

According to the guidance, de-identified health information created following either method "is no longer protected by the Privacy Rule because it does not fall within the definition" of personal health information.

In an article published in June in the Journal of the American Medical Informatics Association, Deven McGraw, director of the Privacy Project at the Center for Democracy and Technology, said that concerns that de-identified data could be re-identified are increasing.

To learn more:
- here's the guidance (.pdf)
- read Harlow's blog post

Related Articles:
Hybrid program successfully de-identifies patient info in EHRs
Health data re-identification concerns on the upswing
Consumer groups step up pressure on HIE security