HIPAA Compliance: The Pitfalls of PHI De-Identification & How to Avoid Them

In 2016, the Australian government released medical billing records of 2.9 million people. They tried to protect patient privacy by removing names and other identifying data. But it didn’t work. Shortly after the data was released, a University of Melbourne research team was able to easily “re-identify” people, without decryption, simply by comparing the released dataset to other publicly available information, such as medical procedures and year of birth.

While it happened on the opposite side of the globe, the Australia case is directly relevant to US labs to the extent it demonstrates the weaknesses of de-identification and how relying on it can cause privacy breaches that violate HIPAA and, more importantly, jeopardize the lab’s relationships with healthcare partners and patients.

Lab Obligations under HIPAA
HIPAA limits the collection, use and disclosure of personal health information to specific purposes such as:

• Coordinating information about care and treatment;
• Providing information to patients’ family, significant others or friends who are directly involved in their treatment;
• Assessing the quality of care provided by the doctor or healthcare facility;
• Furnishing information requested by law enforcement or other government and public agencies for prescribed purposes.

HIPAA doesn’t protect all health information, only personally identifiable information, i.e., information that directly or indirectly reveals the person’s identity. HIPAA provides two ways for labs to “de-identify” information before sharing it for uses such as research:

• The “Expert Determination” method in which a statistician or other person with appropriate training verifies that enough identifiers have been removed that the risk of identification of the individual is very small; or
• The “Safe Harbor” method that requires removal of 18 specified identifiers.

The Risks of Re-Identification
Currently, the risks of re-identification are minimal for labs fully complying with HIPAA regulations, says Adam Greene, partner with Davis Wright Tremaine. Labs without systems that are fully complaint with HIPAA, however, have greater re-identification risks, says David Gee, also a partner with Davis Wright Tremaine. For example, if data is used internally and a lab substitutes “common sense lay definitions” to de-identify instead of complying with HIPAA rules, it may be subjecting itself to potential liability.

But as big data evolves, risks may increase because re-identification of patients from de-identified data using other publicly available information will get easier. This is particularly true of the HIPAA De-Identification Safe Harbor which doesn’t apply even if a lab strips out all 18 identifiers to the extent it has “knowledge” that someone can re-identify patients from the data, says attorney Kate Stewart of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.  Labs may need to ensure that data is de-identified under the Safe Harbor can’t be combined with other data sets to re-identify patients, she says, and frequently reevaluate those findings.

Takeaway: How to Protect Yourself
The ability to mine big data and combine it with other data sets is constantly evolving. Labs must be constantly aware that what may have been adequate to de-identify patients in the past may not work today. Steps labs can take to minimize re-identification risk:

• Making sure security and privacy officers are well trained, experienced and know how to get whatever help or guidance they need;
• Continually re-evaluating the processes in place to de-identify data;
• Relying on the Expert Determination method instead the Safe Harbor method to remove the re-identification knowledge risks;
• When relying on the Expert Determination method, getting the data recertified as frequently as necessary to maintain the right to disclose, e.g., every three years.