Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. De-identification of Information

12/28/2000

The rule allows covered entities to determine that health information is de-identified (i.e., that it is not individually identifiable health information) if certain conditions are met. Currently, some entities release de-identified information for research purposes. De-identified information may originate from automated systems (such as records maintained by pharmacy benefit managers) and non-automated systems (such as individual medical records maintained by providers). As compared with current practice, the rule requires that an expanded list of identifiers be removed for the data (such as driver's license numbers, and detailed geographic and certain age information). For example, as noted in a number of public comments, currently complete birth dates (day, month, and year) and zip codes are often included in de-identified information. The final rule requires that only the year of birth (except in certain circumstances) and the first three digits of the zip code can be included in de-identified information.

These changes will not require extensive change from current practice. Providers generally remove most of the 19 identifiers listed in the final rule. The Department relied on Gartner Group estimates that some additional programmer time will be required by covered entities that produce de-identified information to make revisions in their procedures to eliminate additional identifiers. Entities that de-identify information will have to review existing and future data flows to assure compliance with the final rule. For example, an automated system may need to be re-programmed to remove additional identifiers from otherwise protected health information. (The costs of educating staff about the de-identification requirements are included in the cost estimate for training staff on privacy policies.)

The Department was not able to obtain any reliable information on the volume of medical data that is currently de-identified. To provide some measure of the potential magnitude, we assumed that health plans and hospitals would have an average of two existing agreements that would need to be reviewed and modified. Based on information provided by our consultants, we estimate that these agreements would require an average of 152 hours by hospitals and 116 hours by health plans to review and revise existing agreements to conform to the final rule. Using the weighted average wage of $47.28, the initial costs will be $124 million. Using our standard growth rates for wages, patients, and covered entities, the total cost of the provision is $1.1 billion over ten years.

The Department expects that the final rule and the increasing trend toward computerization of large record sets will result over time in de-identification being performed by relatively few firms or associations. Whether the covered entity is a small provider with relatively few files or a hospital or health plan with large record files, it will be more efficient to contract with specialists in these firms or associations (as "business associates" of the covered entity) to de-identify files. The process will be different but the ultimate cost is likely to be the same or only slightly higher, if at all, than the costs for de-identification today. The estimate is for the costs required to conform existing and future agreements to the provisions of the rule. The Department has not quantified the benefits that might arise from changes in the market for de-identified information because the centralization and efficiency that will come from it will not be fully realized for several years, and we do not have a reliable means of estimating such changes.