We considered defining “individually identifiable health information” as any information that is not anonymous, that is, for which there is any possibility of identifying the subject. We rejected this option, for several reasons. First, the statute suggests a different approach. The term “individually identifiable health information” is defined in HIPAA as health information that:
... identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
By including the modifier “reasonable basis,” Congress appears to reject the absolute approach to defining “identifiable.” Covered entities would not always have the statistical sophistication to know with certainty when sufficient identifying information has been removed so that the record is no longer identifiable. We believe that covered entities need more concrete guidance as to when information will and will not be “identifiable” for purposes of this regulation.
Defining non-identifiable to mean anonymous would require covered entities to comply with the terms of this regulation with respect to information for which the probability of identification of the subject is very low. We want to encourage covered entities and others to remove obvious identifiers or encrypt them whenever possible; use of the absolute definition of “identifiable” would not promote this salutary result.
For these reasons, we propose at § 164.506(d)(2)(ii) that there be a presumption that, if specified identifying information is removed and if the holder has no reason to believe that the remaining information can be used by the reasonably anticipated recipients alone or in combination with other information to identify an individual, then the covered entity would be presumed to have created de-identified information.
At the same time, in proposed § 164.506(d)(2)(iii), we are leaving leeway for more sophisticated data users to take a different approach. We are including a “reasonableness” standard so that entities with sufficient statistical experience and expertise could remove or code a different combination of information, so long as the result is still a low probability of identification. With this approach, our intent is to provide certainty for most covered entities, while not limiting the options of more sophisticated data users.
In this rule we are proposing that covered entities and their business partners be permitted to use protected health information to create de-identified health information. Covered entities would be permitted to further use and disclose such de-identified information in any way, provided that they do not disclose the key or other mechanism that would enable the information to be re-identified, and provided that they reasonably believe that such use or disclosure of de-identified information will not result in the use or disclosure of protected health information. See proposed § 164.506(d)(1). This means that a covered entity could not disclose de-identified information to a person if the covered entity reasonably believes that the person would be able to re-identify some or all of that information, unless disclosure of protected health information to such person would be permitted under this proposed rule. In addition, a covered entity could not use or disclose the key to coded identifiers if this rule would not permit the use or disclosure of the identified information to which the key pertains. If a covered entity re-identifies the de-identified information, it may only use or disclose the re-identified information consistent with these proposed rules, as if it were the original protected health information.
We invite comment on the approach that we are proposing and on whether alternative approaches to standards for entities determining when health information can reasonably be considered no longer individually identifiable should be considered.