NRPM: Standards for Privacy of Individually Identifiable Health Information. d. Creation of de-identified information.


In this rule we are proposing that covered entities and their business partners be permitted to use protected health information to create de-identified health information. Covered entities would be permitted to further use and disclose such de-identified information in any way, provided that they do not disclose the key or other mechanism that would enable the information to be re-identified, and provided that they reasonably believe that such use or disclosure of de- identified information will not result in the use or disclosure of protected health information. This means that a covered entity could not disclose de-identified information to a person if the covered entity reasonably believes that the person would be able to re-identify some or all of that information, unless disclosure of protected health information to such person would be permitted under this proposed rule. In addition, a covered entity could not use or disclose the key to coded identifiers if this rule would not permit the use or disclosure of the identified information to which the key pertains. If a covered entity re-identifies the de-identified information, it may only use or disclose the re-identified information consistent with these proposed rules, as if it were the original protected health information. See proposed § 164.506(d)(1).

As with other components of this proposed rule, removal of identifiers from data could be scaled. Small entities without the resources to determine at what point information is truly de- identified could remove the full list of possible identifiers listed in this regulation. Unless they have reason to believe that the information could still be linked to an individual, this proposed requirement would be fulfilled. However, larger, more sophisticated entities, could choose to determine independently what information needs to be removed.

Furthermore, efforts to remove identifiers from information would be optional. If an entity believes that removing identifiers would be excessively burdensome, it could choose not to release the information or to obtain an authorization from individuals before releasing any information.