This page provides guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The guidance explains and answers questions regarding the two methods that can be used to satisfy the Privacy Rule’s de-identification standard: Expert Determination and Safe Harbor1. This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.
In developing this guidance, the Office for Civil Rights (OCR) solicited input from stakeholders with practical, technical and policy experience in de-identification. OCR convened stakeholders at a workshop consisting of multiple panel sessions held March 8-9, 2010, in Washington, DC. Each panel addressed a specific topic related to the Privacy Rule’s de-identification methodologies and policies. The workshop was open to the public and each panel was followed by a question and answer period. Read more on the Workshop on the HIPAA Privacy Rule’s De-Identification Standard. Read the Full Guidance – PDF.
45 CFR 164.501, 164.508, 164.512(i) (See also 45 CFR 164.514(e), 164.528, 164.532) (Download a copy in PDF – PDF)
The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” See 45 CFR 164.501. A covered entity may always use or disclose for research purposes health information which has been de-identified (in accordance with 45 CFR 164.502(d), and 164.514(a)-(c) of the Rule) without regard to the provisions below.
Protecting public health, including through public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, and other public health activities, often requires access to or the reporting of the protected health information of individuals. This information is used to identify, monitor, and respond to disease, death, and disability among populations.
The Privacy Rule recognizes the legitimate need for public health authorities and certain others to have access to protected health information for public health purposes and the importance of public health reporting by covered entities to identify threats to the public and individuals. Thus, the Privacy Rule permits covered entities to disclose protected health information without authorization for specified public health purposes.
Emergency Situations: Preparedness, Planning, and Response
The Privacy Rule protects individually identifiable health information from uses and disclosures that unnecessarily compromise the privacy of an individual. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.
These pages address the release of protected health information for planning or response activities in emergency situations. In addition, please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.
Health Information Technology
Health information technology (health IT) involves the exchange of health information in an electronic environment. Widespread use of health IT will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. It is imperative that the privacy and security of health information be ensured as this information is maintained and transmitted electronically.
The Privacy Rule’s established baseline of privacy protections and individual rights with respect to individually identifiable health information support the use of health IT and provide important protections in this area. The Security Rule supports the adoption of new health information technologies while setting standards to ensure appropriate protection of electronic protected health information.
Genetic Information Nondiscrimination Act (GINA) was signed into law on May 21, 2008. GINA prohibits discrimination in health coverage and employment based on genetic information.
GINA requires modifications to the Privacy Rule to clarify that genetic information is a type of health information and to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
Information is Powerful Medicine: HIV and HIPAA
Living with HIV requires being active in your medical care – making decisions with your doctor, tracking your progress, and doing everything you can to be healthy. With HIV, you also may have concerns about keeping your status private.
Whether your health information is stored on paper or electronically – PDF, you’ve got the right to keep it private. Those rights are protected by HIPAA. HIPAA also gives you other important rights, including the right to a copy of your medical record.
HIPAA Privacy Rule and the National Instant Criminal Background Check System (NICS)
On January 16, 2013, President Barack Obama announced a series of Executive Actions to reduce gun violence in the United States, including efforts to improve the Federal government’s background check system for the sale or transfer of firearms by licensed dealers, called the National Instant Criminal Background Check System (NICS). Among those persons disqualified from possessing or receiving firearms are individuals who are subject to a Federal “mental health prohibitor” because they have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined, through a formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others or being incapable of managing their own affairs.
HHS Strengthens Patients’ Right to Access Lab Test Reports
The Department of Health and Human Services (HHS) has taken action to give patients or a person designated by the patient a means of direct access to the patient’s completed laboratory test reports. The final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative,” access to the patient’s completed test reports on the patient’s or patient’s personal representative’s request. At the same time, the final rule eliminates the exception under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to an individual’s right to access his or her protected health information when it is held by a CLIA-certified or CLIA-exempt laboratory. While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.
Guidance on HIPAA, Same-sex Marriage, and Sharing Information with Patients’ Loved Ones
The HIPAA Privacy Rule recognizes the integral role that a spouse often plays in a patient’s health and health care. Consistent with the Supreme Court decision in Obergefell v. Hodges, OCR has issued guidance that makes clear that the terms marriage, spouse, and family member include, respectively, all lawful marriages (whether same-sex or opposite-sex), lawfully married spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule.
OCR Invites Developers to Ask Questions about HIPAA Privacy and Security
OCR launched a platform for mobile health developers and others interested in the intersection of health information technology and HIPAA privacy protection. Use this site to help OCR understand what guidance on HIPAA regulations would be helpful.
HIPAA Related Links
The HIV/AIDS Bureau of the Health Resources and Services Administration (HRSA) developed “Protecting Health Information Privacy and Complying with Federal Regulations.” The guide highlights provisions of the Privacy Rule that are especially relevant to Ryan White Comprehensive AIDS Resources Emergency (CARE) Act grantees.
HIPAA and the FTC Act
Training solutions include the gold standard HIPAA credential, Certified HIPAA Professional (CHP) and our world’s first compliance and cyber security credential, Certified Security Compliance Specialist (CSCS).
ecfirst is a HITRUST Authorized CSF Assessor.
Many clients engage ecfirst extensively for the flexible services that range from on-demand consulting to its managed compliance services programs that covers training, policies, remediation, risk assessment, technical vulnerability assessments penetration testing and much more.