Data Anonymization under HIPAA
HIPAA explicitly allows for the de-identification of PHI and prescribes two methods to carry it out Following these methods, de-identified data is no longer PHI and HIPAA does not govern how it is used or where it is shared.
The two methods HIPAA defines for de-identification of PHI are:
- Expert Determination. A “person with appropriate knowledge of and experience” determines that risk of re-identification of PHI is very small.
- Safe Harbor. Data that identifies an individual is removed from the records. The list of data items that need to be removed is defined by HIPAA and can be found on this page.
HIPAA also allows for the re-identification of de-identified data. The means, or any unique coding or algorithms, used to re-identify data cannot be shared. If those are shared, it is a violation of HIPAA. In essence, the means of re-identification needs to be handled like PHI.
Business associates, increasingly technology companies that support covered entities, cannot de-identify data unless it is explicitly allowed in business associate agreements. This is often a point of contention in negotiations between technology companies and covered entities.
There are prescribed methods to de-identify PHI and, once data is de-identified, HIPAA does not apply anymore. If you’re a business associate, check your BAA.