As required by the HITECH Act, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has issued guidance on two methods for de-identifying protected health information (PHI) under the Health Insurance portability and Accountability Act of 1996 (HIPAA) privacy rule.[1]  “This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification,” according to OCR.
OCR’s lengthy and detailed guidance includes more than two dozen frequently asked questions that explain the two methods that satisfy de-identification of PHI in the HIPAA privacy rule. [2]  These two methods are: Expert Determination and Safe Harbor.
The Expert Determination method is defined as:
“(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination.”[3]
The Safe Harbor method involves the removal of dozens of identifiers of the individual, relatives, other household members of the individual and employers. For instance, the removal of just one identifier – dates – includes: “All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.”[4]
In developing this guidance, OCR solicited input from stakeholders with practical, technical and policy experience in de-identification.  OCR convened stakeholders at a workshop consisting of multiple panel sessions held March 8-9, 2010, in Washington, DC.  Each panel addressed a specific topic related to the Privacy Rule’s de-identification methodologies and policies.  The workshop was open to the public and each panel was followed by a question and answer period.
Squire Sanders lawyers have significant experience in HIPAA compliance efforts, including privacy and security assessments.  We routinely advise clients on matters related to HIPAA policies and procedures and business associate agreements.  We continue to monitor the proposed changes to HIPAA and are available to assist clients in structuring their privacy and security practices to comply with these changes.

[1] GUIDANCE ON IMPLEMENTATION SPECIFICATION TO DE-IDENTIFY PROTECTED HEALTH INFORMATION.—Not later than 12 months after the date of the enactment of this title, the Secretary shall, in consultation with stakeholders, issue guidance on how best to implement the requirements for the de-identification of protected health information under section 164.514(b) of title 45, Code of Federal Regulations.  American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, Div. A, Title XIII and Div. B, Title IV, the Health Information Technology for Economic and Clinical Health Act, Section 13424(c).
[2] Standard: De-identification of protected health information.  Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.  42 C.F.R. 164.514(b).
[3] 45 C.F.R. § 164.514(b)(1).
[4] 45 C.F.R. § 164.514(b)(2)(C).