HIPAA Regulatory Alert: Guidelines address data de-identification

Review BA agreements to ensure compliance

The increasing use of electronic health records, digital imaging, and automated registration systems has created large, complex data sets that can be used by researchers for the development of chronic disease programs, clinical guidelines, and new treatment protocols. The challenge is compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

De-identification of patient information is essential before a healthcare organization or its business associates can share the information with an outside party. Guidelines developed by the Office of Civil Rights (OCR) were released at the end of 2012 to help covered entities and business associates further define de-identification processes that are acceptable.

“These guidelines will affect business associates more than covered entities because they are the organizations selling the information in most cases,” says Donn H. Herring, a healthcare attorney with Lathrop and Gage in St. Louis, MO. Healthcare entities should be aware of the guidelines to be able to update business associate agreements appropriately, Herring says. “Most covered entities allow business associates to sell de-identified patient information to outside entities,” he explains. Although agreements may contain general statements that address de-identification of information before selling it, the OCR guidelines can be referenced in future agreements.

While the HIPAA Privacy Rule referred to expert determination and safe harbor as two acceptable methods of de-identification, the OCR guidelines are based upon frequently asked questions and clearly define what is required. Expert determination will be a developing field as standard procedures and best practices are identified, predicts Herring. Expert determination requires “an expert in the field of data de-identification to certify that there is a very small risk that the recipient of the information can identify individuals.”

Safe harbor is the matter of removing items included on a “laundry list” of identifiers provided by OCR to protect the identity of the patient. “Some of the information, such as age and geographic location that must be removed, may make the information useless for some research, but it is a straightforward method of de-identification,” Herring says.

Hospitals or larger health systems that do provide data for outside entities to use in research will need to incorporate these guidelines, but realistically, most healthcare organizations will only need to change a line in a business agreement to indicate that the business associate will de-identify patient information according to the OCR guidelines, says Herring. “This is a change that does not have to be made on all current BA [business associate] agreements. It can be included in new agreements and upon renewal of existing agreements.”


For more information about de-identification of patient information, contact:

Donn H. Herring, Lathrop and Gage, 7701 Forsyth Boulevard, Suite 500, Clayton MO 63105. Telephone: (314) 613-2800. Fax: (314) 613-2801. E-mail: dherring@lathropgage.com.