The U.S. Department of Health and Human Services (HHS) is about to rule whether health care entities will need to notify patients if their de-identified data -- patient data that has been stripped of all potential for identifying individuals, which is often used for research and development -- is breached. As it stands now, de-identified data is not subject to the new breach-notification rules imposed by the HITECH privacy provisions of the 2009 American Recovery and Reinvestment Act (ARRA) stimulus package. The debate pits privacy activists on the one side -- who often support notification -- with health care organizations on the other, which say the quality of health care hangs in the balance.
This debate hasn't been getting much attention. That's unfortunate, because the outcome could have broader implications within the U.S. and even around the world. Validating that personal data can be de-identified in a way that still retains commercial and social usefulness could set a precedent for many other privacy-related standards and debates.
The ruling will come amid a flood of medical data-breach notifications in California, the first state to impose this requirement. Since January of this year, 823 medical-data breaches were reported to the state government, of which the state investigated 122 and confirmed 116 as breaches. One of them -- inappropriate staff access into the files of the so-called Octomom -- resulted in the statute's maximum fine of $250,000. So, the stakes are high on how the question of de-identified data is resolved.
Let me confess my bias. I think the people who came up with the Health Insurance Portability and Accountability Act (HIPAA) de-identification rule should be given a Presidential Medal of Freedom. I'm exaggerating only a little. The rule is one of the most practical innovations in privacy regulations worldwide and arguably has saved lives.
Table 1: HIPAA Direct Identifiers
| 1. Names |
| 2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of a ZIP code |
| 3. All elements of dates (except year) for dates directly related to an individual (e.g., date of birth, admission) |
| 4. Telephone numbers |
| 5. Fax numbers |
| 6. E-mail addresses |
| 7. Social Security numbers |
| 8. Medical record numbers |
| 9. Health plan beneficiary numbers |
| 10. Account numbers |
| 11. Certificate/license numbers |
| 12. Vehicle identifiers and serial numbers, including license plate numbers |
| 13. Device identifiers and serial numbers |
| 14. Web universal locators (URLs) |
| 15. IP address numbers |
| 16. Biometric identifiers, including fingerprints and voice prints |
| 17. Full-face photographic images and any comparable images |
| 18. Other unique identifying numbers, characteristics or codes |
Any of the data elements below, if associated with health information, makes that information personally identifiable, according to HIPAA.
How does de-identification work? According to part 164.514 of the Code of Federal Regulations, a HIPAA-covered entity has two choices if it wants to de-identify patient data and use it for any purpose such as research and development:
- The "safe harbor" option, where the entity can remove from its data all of the 18 personal identifiers listed by HIPAA (see Table 1); or
- The "statistical" option, where the entity can hire a statistician to determine which of the 18 identifiers it can retain without creating more than a "very small" risk that the data could be re-identified when publicly released.
HIPAA also provides a third "limited data set" method. Under these criteria, the covered entity can remove 16 of those 18 identifiers, but guard the remaining data with additional security precautions. It can use the dataset for research and development, but the remaining data is still regarded as protected health information (PHI) subject to HIPAA.