This provision is discussed in Section II.C.6.
19. Individually identifiable health information. We would define “individually identifiable health information” as it is defined in section 1171(6) of the Act. While the definition of individually identifiable health information does not expand on the statutory definition, we recognize that the issue of how the identifying characteristics can be removed from such information (referred to in this rule as de-identification) presents difficult operational issues. Accordingly, we propose in §164.506(d) an approach for de-identifying identifiable information, along with restrictions designed to ensure that de-identified information is not used inappropriately.
The privacy standards would apply to “individually identifiable health information,” and not to information that does not identify the individual. We are aware that, even after removing obvious identifiers, there is always some probability or risk, however remote, that any information about an individual can be attributed. A 1997 MIT study showed that, because of the public availability of the Cambridge, Massachusetts voting list, 97 percent of the individuals in Cambridge whose data appeared in a data base which contained only their nine digit zip code and birth date could be identified with certainty. 1 Their information had been “de-identified” (some obvious identifiers had been removed) but it was not anonymous (it was still possible to identify the individual).
It is not always obvious when information identifies the subject. If the name and identifying numbers (e.g., SSN, insurance number, etc.) are removed, a person could still be identified by the address. With the address removed, the subject of a medical record could be identified based on health and demographic characteristics (e.g., age, race, diagnosis). “Identifiability” varies with the location of the subject; there could be hundreds of people in Manhattan who have the same age, race, gender, and diagnosis, but only one such person in a small town or rural county. Gauging the risk of identification of information requires statistical experience and expertise that most covered entities will not possess.
Obvious identifiers on health information could be replaced with random numbers or encrypted codes, which can prevent the person using the record from identifying the subject, but which allow the person holding the code to re-identify the information. Information with coded or encrypted identifiers would be considered “de-identified” but not “anonymous,” because it is still possible for someone to identify the subject.
We considered defining “individually identifiable health information” as any information that is not anonymous, that is, for which there is any possibility of identifying the subject. We rejected this option, for several reasons. First, the statute suggests a different approach. The term “individually identifiable health information” is defined in HIPAA as health information that “... identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” By including the modifier “reasonable basis,” Congress appears to reject the absolute approach to defining “identifiable.”
Second, covered entities may not have the statistical sophistication to know with certainty when sufficient identifying information has been removed so that the record is no longer identifiable. We believe that covered entities need more concrete guidance as to when information will and will not be “identifiable” for purposes of this regulation.
Finally, defining non-identifiable to mean anonymous would require covered entities to comply with the terms of this regulation with respect to information for which the probability of identification of the subject is very low. We want to encourage covered entities and others to remove obvious identifiers or encrypt them whenever possible; use of the absolute definition of “identifiable” would not promote this salutary result.
For these reasons, we propose at § 164.506(d)(2)(ii) that there be a presumption that, if specified identifying information is removed and if the holder has no reason to believe that the remaining information can be used by the reasonably anticipated recipients alone or in combination with other information to identify an individual, then the covered entity is presumed to have created de-identified information.
At the same time, in proposed § 164.506(d)(2)(iii), we would leave leeway for more sophisticated data users to take a different approach. We would include a “reasonableness” standard so that entities with sufficient statistical experience and expertise could remove or code a different combination of information, so long as the result is still a low probability of identification. With this approach, our intent is to provide certainty for most covered entities, while not limiting the options of more sophisticated data users.
In § 164.504, we propose to define “individually identifiable health information” to mean health information created or received by a health care provider, health plan, employer or health care clearinghouse, that could be used directly or indirectly to identify the individual who is the subject of the information. Under proposed § 164.506(d)(2)(ii), information would be presumed not to be “identifiable” if:
- all of the following data elements have been removed or otherwise concealed: name; address, including street address, city, county, zip code, or equivalent geocodes; names of relatives and employers; birth date; telephone and fax numbers; e-mail addresses; social security number; medical record number; health plan beneficiary number; account number; certificate/license number; any vehicle or other device serial number; web URL; Internet Protocol (IP) address; finger or voice prints; photographic images; and any other unique identifying number, characteristic, or code (whether generally available in the public realm or not) that the covered entity has reason to believe may be available to an anticipated recipient of the information, and
- the covered entity has no reason to believe that any reasonably anticipated recipient of such information could use the information alone, or in combination with other information, to identify an individual.
Thus, to create de-identified information, entities that had removed the listed identifiers would still have to remove additional data elements if they had reason to believe that a recipient could use the remaining information, alone or in combination with other information, to identify an individual. For example, if the “occupation” field is left intact and the entity knows that a person’s occupation is sufficiently unique to allow identification, that field would have to be removed from the relevant record. The presumption does not allow use or disclosure if the covered entity has reason to believe the subject of the information can be re-identified. Our concern with the potential for re-identification is heightened by our limited jurisdiction under HIPAA. Because we can only regulate health care providers, health plans and health care clearinghouses, we cannot prohibit other recipients of de-identified information from attempting to re-identify it.
To assist covered entities in ascertaining whether their attempts to create de-identified information would be successful, the Secretary would from time to time issue guidance establishing methods that covered entities could use to determine the identifiability of information. This guidance would include information on statistical and other tests that could be performed by covered entities in assessing whether they have created de-identified information. The manner in which such guidance would be published and distributed will be addressed in the final regulation. We solicit comment on the best ways in which to inform covered entities of appropriate and useful information on methods that they can use to determine whether information is de-identified.
In enforcing this regulation, the Secretary would consider the sophistication of covered entities when determining whether a covered entity had reason to believe that information that it had attempted to de-identify continued to identify the subject. Covered entities that routinely create and distribute de-identified data would be expected to be aware of and to use advanced statistical techniques, including the guidance issued by the Secretary, to ensure that they are not improperly disclosing individually identifiable health information. Covered entities that rarely create de-identified information would not be expected to have the same level of knowledge of these statistical methods, and generally could rely on the presumption that information from which they have removed the listed identifiers (and provided that they do not know that the information remains identifiable) is de-identified. We solicit comment on whether the enforcement approach that we are suggesting here and our overall approach relating to the creation of de-identified information would provide sufficient guidance to covered entities to permit them to create, use and disclose de-identified information.
In addition, we propose to permit entities with appropriate statistical experience and expertise (obtained through a statistical consultant or staff with statistical expertise) to decide that some of the above named data elements could be retained in the de-identified data set if: (1) the entity determines that the probability of identifying an individual with the remaining information is very low, or (2) the entity has converted the “identifiable” data elements into data elements that, in combination with the remaining information, have a very low probability of being used to identify an individual. An example of such a conversion would be the translation of birth date into age expressed in years or, if still determined to convey “identifiability,” age expressed in categories of years (e.g., age 18 to 24). In making these determinations, the entity must consider the data elements taken together as well as any additional information that might reasonably be available to a recipient. Examples of the types of entities that would have the statistical experience and expertise to make this type of judgment include large health research institutions such as medical schools with epidemiologists and statisticians on the faculty; federal agencies such as the National Center for Health Statistics, the Agency for Health Care Policy and Research, FDA, the Bureau of the Census, and NIH; and large corporations that do health research such as pharmaceutical manufacturers with epidemiologists and statisticians on staff.
An important component of this approach to defining “identifiable” would be the prohibition on re-identification of health information. We propose that a covered entity that is a recipient of de-identified information who attempts to re-identify such de-identified information for a purpose for which protected health information could not be used or disclosed under this rule be deemed to be in violation of the law. See proposed § 164.506(d) and section II.C. below. There may be circumstances, however, when recipients of de-identified information will have a legitimate reason to request that the de-identified information be re-identified by the originating covered entity. For example, if a researcher received de-identified information from a covered entity and the research revealed that a particular patient was misdiagnosed, the covered entity should be permitted to re-identify the patient’s health information so that the patient could be informed of the error and seek appropriate care. One of the principal reasons entities retain information in coded form, rather than rendering it anonymous, is to enable re-identification of the information for appropriate reasons. Although we would anticipate that the need for re- identification would be rare, entities that expect to have to perform this function should establish a process for determining when re-identification is appropriate. Once covered entities re-identify information, it becomes protected information and may, therefore, be used and disclosed only as permitted by this regulation.
The phrase “individually identifiable” information is already in use by many HHS agencies and others. In particular, the Common Rule regulation includes “identifiable private information” in its definition of “human subject.” Because of this, medical records research on “identifiable private information” is subject to Common Rule consent and IRB review requirements. It would not be our intent to suggest changes to this practice. Researchers and others can and are encouraged to continue to use more stringent approaches to protecting information.
We invite comment on the approach that we are proposing and on alternative approaches to standards for covered entities to determine when health information can reasonably be considered no longer individually identifiable.
20. Law enforcement official. We propose a new definition of "law enforcement official," to mean an officer of the United States or a political subdivision thereof, who is empowered by law to conduct an investigation or official proceeding inquiring into a violation of, or failure to comply with, any law; or a criminal, civil, or administrative proceeding arising from a violation of, or failure to comply with, any law.
21. Payment. We offer a new definition of payment. The term “payment” would mean activities undertaken by a health plan (or by a business partner on behalf of a health plan) to determine its responsibilities for coverage under the health plan policy or contract including the actual payment under the policy or contract, or by a health care provider (or by a business partner on behalf of a provider) to obtain reimbursement for the provision of health care, including:
- determinations of coverage, improving payment methodologies or coverage policies, or adjudication or subrogation of claims;
- risk adjusting payments based on enrollee health status and demographic characteristics;
- billing, claims management, medical review, medical data processing;
- review of health care services with respect to medical necessity, coverage under a health plan policy or contract, appropriateness of care, or justification of charges; and,
- utilization review activities, including pre-certification and preauthorization of services.
Our proposed definition is intended to capture the necessary sharing of protected health information among health care providers who provide care, health plans and other insurers who pay for care, their business partners, as well as sponsors of group health plans, such as employers, who pay for care and sometimes provide administrative services in conjunction with health plan payment activities. For example, employers sometimes maintain the eligibility file with respect to a group health plan.
Our proposed definition anticipates that protected health information would be used for payment purposes within entities, would be shared with business partners, and in most cases would be shared between health care providers and health plans (and their business partners). In some cases, a payment activity could result in the disclosure of protected health information by a plan to an employer or to another payer of health care, or to an insurer that is not a covered entity, such as for coordination of benefits or to a workers compensation carrier. For example, a health plan could disclose protected health information to an employer in connection with determining the experience rate for group coverage.
We are concerned that disclosures for payments may routinely result in disclosures of protected health information to non-covered entities, such as employers, which are not subject to the use and disclosure requirements of this rule. We considered prohibiting disclosures to employers without individual authorization, or alternatively, requiring a contractual relationship, similar to the contracts required for business partners, before such disclosures could occur. We note that the National Committee on Quality Assurance has adopted a standard for the year 2000 that would require health plans to “have policies that prohibit sending identifiable personal health information to fully insured or self-insured employers and provide safeguards against the use of information in any action relating to an individual” (Standard R.R.6, National Committee for Quality Assurance 2000 Standards).
We did not adopt either of these approaches, however, because we were concerned that we might disrupt some beneficial activities if we were to prohibit or place significant conditions on disclosures by health plans to employers. We also recognize that employers are paying for health care in many cases, and it has been suggested to us that they may need access to claims and other information for the purposes of negotiating rates, quality improvement and auditing their plans and claims administrators. We invite comment on the extent to which employers currently receive protected health information about their employees, for what types of activities protected health information is received, and whether any or all of these activities could be accomplished with de-identified health information. We also invite other comments on how disclosures to employers should be treated under this rule.
22. Protected health information. We would create a new definition of “protected health information” to mean individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form. For example, protected health information would remain protected after it is read from a computer screen and discussed orally, printed onto paper or other media, photographed, or otherwise duplicated. We note that individually identifiable health information created or received by an employer as such would not be considered protected health information, although such information created or received by an employer in its role as a health plan or provider would be protected health information.
Under this definition, information that is “electronically transmitted” would include information exchanged with a computer using electronic media, even when the information is physically moved from one location to another using magnetic or optical media (e.g., copying information from one computer to another using a floppy disc). Transmissions over the Internet (i.e., open network), Extranet (i.e., using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, and private networks would all be included. Telephone voice response and “faxback” (i.e., a request for information from a computer made via voice or telephone keypad input with the requested information returned as a fax) systems would be included because these are computer output devices similar in function to a printer or video screen. This definition would not include “paper-to-paper” faxes, or person-to- person telephone calls, video teleconferencing, or messages left on voice-mail. The key concept that determines if a transmission meets the definition is whether the source or target of the transmission is a computer. The medium or the machine through which the information is transmitted or rendered is irrelevant.
Also, information that is “electronically maintained” would be information stored by a computer or on any electronic medium from which the information may be retrieved by a computer. These media include, but are not limited to, electronic memory chips, magnetic tape, magnetic disk, or compact disc (CD) optical media.
Individually identifiable health information that is part of an “education record” governed by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g, would not be considered protected health information. Congress specifically addressed such information when it enacted FERPA to protect the privacy rights of students and parents in educational settings. FERPA applies to educational records that are maintained by educational agencies and institutions that are recipients of federal funds from the Department of Education. FERPA requires written consent of the parent or student prior to disclosure of education records except in statutorily specified circumstances. We do not believe that Congress intended to amend or preempt FERPA in enacting HIPAA.
Individually identifiable health information of inmates of correctional facilities and detainees in detention facilities would be excluded from this definition because unimpeded sharing of inmate identifiable health information is crucial for correctional and detention facility operations. In a correctional or detention setting, prison officials are required by law to safely house and provide health care to inmates. These activities require the use and disclosure of identifiable health information. Therefore, correctional and detention facilities must routinely share inmate health information among their health care and other components, as well as with community health care facilities. In order to maintain good order and protect the well-being of prisoners, the relationship between such facilities and inmates or detainees involves a highly regulated, specialized area of the law which has evolved as a carefully balanced compromise with due deference to institutional needs and obligations.
Federal and other prison facilities routinely share health information with community health care facilities in order to provide medical treatment to persons in their custody. It is not uncommon for inmates and detainees to be transported from one facility to another, for example, for the purpose of making a court appearance in another jurisdiction, or to obtain specialized medical care. In these and other circumstances, law enforcement agencies such as the Federal Bureau of Prisons (the Bureau), the United States Marshals Service (USMS), the Immigration and Naturalization Service, State prisons, county jails, and U.S. Probation Offices, share identifiable health information about inmates and detainees to ensure that appropriate health care and supervision of the inmate or detainee is maintained. Likewise, these agencies must, in turn, share health information with the facility that resumes custody of the inmate or detainee.
Requiring an inmate’s or detainee’s authorization for disclosure of identifiable health information for day-to-day operations would represent a significant shift in correctional and detention management philosophy. If correctional and detention facilities were covered by this rule, the proposed provisions for individual authorizations could potentially be used by an inmate or detainee to override the safety and security concerns of the correctional/custodial authority; for example, an inmate being sent out on a federal writ could refuse to permit the Bureau to disclose a suicide history to the USMS. Additionally, by seeking an authorization to disclose the information, staff may give the inmate or detainee advance notice of an impending transfer, which in turn may create security risks.
Therefore we propose to exclude the individually identifiable health information of inmates of correctional facilities and detainees in detention facilities from the definition of protected health information. We note that existing federal laws limiting the disclosure and release of information (e.g., FOIA/Privacy Act) protect the privacy of identifiable federal inmate health information. Subject to certain limitations, these laws permit inmates and detainees to obtain and review a copy of their medical records and to correct inaccurate information.
Under this approach, the identifiable health information held by correctional and detention facilities of persons who have been released would not be protected. The facilities require continued access to such information for security, protection and health care purposes because inmates and detainees are frequently readmitted to correctional and detention facilities. However, concern has been expressed about the possibility that absent coverage by this proposed rule, correctional and detention facilities may disclose information about former inmates and detainees without restriction. We therefore request comments on whether identifiable health information held by correctional and detention facilities about former inmates and detainees should be subject to this rule, and the potential security concerns and burden such a requirement might place on these facilities.
23. Psychotherapy notes. We would define “psychotherapy notes” to mean detailed notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. Such notes are used only by the therapist who wrote them, maintained separately from the medical record, and not involved in the documentation necessary for health care treatment, payment, or operations. Such term would not include medication prescription and monitoring, counseling session start and stop times or the modalities and frequencies of treatment furnished, results of clinical tests, or a brief summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.
24. Public health authority. We would define “public health authority” as an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe that is responsible for public health matters as part of its official mandate.
25. Research. We would define "research" as a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. We further explain that “generalizable knowledge” is knowledge related to health that can be applied to populations outside of the population served by the covered entity.
This is the definition of "research" in the federal regulation that protects human subjects, entitled The Federal Policy for the Protection of Human Subjects (often referred to as the "Common Rule," at 45 CFR part 46). This definition is well understood in the research community and elsewhere, and we propose to use it here to maintain consistency with other federal regulations that affect research.
26. Research information unrelated to treatment. We would define "research information unrelated to treatment" as information that is received or created by a covered entity in the course of conducting research for which there is insufficient scientific and medical evidence regarding the validity or utility of the information such that it should not be used for the purpose of providing health care2, and with respect to which the covered entity has not requested payment from a health plan.
27. Treatment. We would define “treatment” to mean the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers, or the referral of an individual from one provider to another, or coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual. Our definition is intended to relate only to services provided to an individual and not to an entire enrolled population.
28. Use. We would propose a new definition of the term “use” to mean the employment, application, utilization, examination or analysis of health information within an entity that holds the information.
29. Workforce. We would define “workforce” to mean employees, volunteers, trainees and other persons under the direct control of a covered entity, including persons providing labor on an unpaid basis.