NRPM: Standards for Privacy of Individually Identifiable Health Information. 4. Creation of de-identified information. (164.506(d))


In this rule we are proposing that covered entities and their business partners be permitted to use protected health information to create de-identified health information. Covered entities would be permitted to further use and disclose such de-identified information in any way, provided that they do not disclose the key or other mechanism that would enable the information to be re-identified, and provided that they reasonably believe that such use or disclosure of de-identified information will not result in the use or disclosure of protected health information. See proposed § 164.506(d)(1). This means that a covered entity could not disclose de-identified information to a person if the covered entity reasonably believes that the person would be able to re-identify some or all of that information, unless disclosure of protected health information to such person would be permitted under this proposed rule. In addition, a covered entity could not use or disclose the key to coded identifiers if this rule would not permit the use or disclosure of the identified information to which the key pertains. If a covered entity re-identifies the de-identified information, it may only use or disclose the re-identified information consistent with these proposed rules, as if it were the original protected health information.

In some instances, covered entities creating de-identified health information could want to use codes or identifiers to permit data attributable to the same person to be accumulated over time or across different sources of data. For example, a covered entity could automatically code all billing information as it enters the system, substituting personal identifiers with anonymous codes that permit tracking and matching of data but do not permit people handling the data to create protected health information. Such a mechanism would be permissible as long as the key to unlocking the codes is not available to the people working with the de-identified information, and the entity otherwise makes no attempt to create protected health information from the de-identified information.

There are many instances in which such individually identifiable health information is stripped of the information that could identify individual subjects and is used for analytical, statistical and other related purposes. Large data sets of de-identified information can be used for innumerable purposes that are vital to improving the efficiency and effectiveness of health care delivery, such as epidemiological studies, comparisons of cost, quality or specific outcomes across providers or payers, studies of incidence or prevalence of disease across populations, areas or time, and studies of access to care or differing use patterns across populations, areas or time. Researchers and others often obtain large data sets with de-identified information from providers and payers (including from public payers) to engage in these types of studies. This information is valuable for public health activities (e.g., to identify cost-effective interventions for a particular disease) as well as for commercial purposes (e.g., to identify areas for marketing new health care services).

We intend that this proposed provision will permit the important health care research that is being conducted today to continue under this rule. Indeed, it would be our hope that covered entities, their business partners, and others would make greater use of de-identified health information than they do today, when it is sufficient for the research purpose. Such practice would reduce the confidentiality concerns that result from the use of individually identifiable health information for some of these purposes. The selective transfer of health information without identifiers into an analytic database would significantly reduce the potential for privacy violations while allowing broader access to information for analytic purposes, without the overhead of audit trails and IRB review. For example, providing de-identified information to a pharmaceutical manufacturer to use in determining patterns of use of a particular pharmaceutical by general geographic location would be appropriate, even if the information were sold to the manufacturer. Such analysis using protected health information would be research and therefore would require individual authorization or approval by an IRB or similar board. We note that data that includes an individual’s address is “identifiable” by definition and could not be used in such databases.

We invite comment on the approach that we are proposing and on whether alternative approaches to standards for entities determining when health information can reasonably be considered no longer individually identifiable.