How to choose the right method for deidentification

The best way to choose the right deidentification method is to clearly understand what the data will be used for and carefully evaluate the risks associated with potential re-identification. 

What is deidentification?

According to HIPAA’s Privacy Rule deidentification is, “Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.”

The deidentification process involves two methods: Expert Determination and Safe Harbor. Both ensure that no one can trace the information back to a person without substantial effort. The purpose of deidentification is to protect privacy while allowing data use. 

Health data is useful for research and planning. It helps improve treatments and understand health trends. Researchers and planners can use data without risking patient privacy by deidentifying data. The process also supports public health efforts without compromising individual security.

Why there are different methods of deidentification

Deidentification under HIPAA means making sure no one can figure out whose medical data they’re looking at. It uses different methods because not everyone needs the same level of privacy protection. The Expert Determination method relies on a privacy expert to make the call. They use their knowledge to say whether the data can't be linked back to you. It’s tailored, ensuring the data is safe to use for specific needs. On the other hand, the Safe Harbor method follows a checklist. It’s like a recipe for privacy, removing all obvious identifiers like your name, address, and more, so almost anyone can follow it without needing expert knowledge.

Having these options helps cover all bases. Some situations need the precision of an expert, especially when the data is complex or contains lots of details. Other times, you just need a quick, reliable way to scrub the identifiers from a large set of data, making Safe Harbor perfect. The flexibility keeps data useful for research and development without compromising individual privacy. Researchers can explore health trends, hospitals can improve services, and policy makers can craft better health laws, all without risking personal information.

How to choose the right method for deidentification

Expert determination method

• When to use it: The method is ideal when you need a tailored approach. If the data set contains complex information or if you want to retain more useful data for analysis, an expert can help. 
• How it works: A qualified expert applies statistical or scientific principles to determine that the risk of re-identification is "very small." The expert must document their methods and results, ensuring that the risk assessment is defensible.
• Benefits: Allows for more data utility while still complying with HIPAA’s privacy requirements. It can be adapted based on the specific context of the data and the intended use.
• Considerations: You need access to a qualified privacy expert who understands both the legal requirements and the statistical methodologies involved. As an option it can be more costly and time-consuming than Safe Harbor.
  
  

Safe harbor method

• When to use it: The method is straightforward and best for situations where you want a clear, compliance-guaranteed process without needing specialized knowledge. It’s suitable for large datasets where individual data points do not need to be as detailed for the intended analysis.
• How it works: You systematically remove 18 types of identifiers from the data, as specified by HIPAA. These include direct identifiers like names, geographic data smaller than a state, all elements of dates related to an individual (other than year), telephone numbers, and email addresses.
• Benefits: It provides a clear-cut compliance path with less subjective interpretation. Since it doesn’t require an expert’s analysis, it can be faster and less expensive to implement.
• Considerations: The removal of detailed identifiers can reduce the utility of the data for certain types of analyses. It might not be suitable for research needing high granularity.
  
  

Choosing the best approach

• Consider what the data will be used for. If detailed analysis is needed, Expert Determination might be better. For broader applications, Safe Harbor could suffice.
• Think about the potential risks of re-identification. High-risk data might benefit from the Expert Determination method to mitigate any legal or privacy concerns.
• Do you have or can you afford access to a qualified expert? If not, Safe Harbor might be your best bet.
• Ensure whichever method you choose is well documented. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is HIPAA? 

HIPAA is a U.S. law that protects personal health information and ensures it remains confidential.

What is the Privacy Rule? 

The Privacy Rule is a part of HIPAA that sets standards for the protection of health information.

Who commonly uses deidentification? 

Researchers, healthcare providers, and health administrators commonly use deidentification to protect patient privacy while using data for analysis and planning.