Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. General Approach


Comments: The comments on this topic almost unanimously supported the concept of de-identification and efforts to expand its use. Although a few comments suggested deleting one of the proposed methods or the other, most appeared to support the two method approach for entities with differing levels of statistical expertise.

Many of the comments argued that the standard for creation of de-identified information should be whether there is a "reasonable basis to believe" that the information has been de-identified. Others suggested that the "reasonable basis" standard was too vague.

A few commenters suggested that we consider information to be de-identified if all personal identifiers that directly reveal the identity of the individual or provide a direct means of identifying individuals have been removed, encrypted or replaced with a code. Essentially, this recommendation would require only removal of "direct" identifiers (e.g., name, address, and ID numbers) and allow retention of all "indirect" identifiers (e.g., zip code and birth date) in "de-identified" information. These comments did not suggest a list or further definition of what identifiers should be considered "direct" identifiers.

Some commenters suggested that the standard be modified to reflect a single standard that applies to all covered entities in the interest of reducing uncertainty and complexity. According to these comments, the standard for covered entities to meet for de-identification of protected health information should be generally accepted standards in the scientific and statistical community, rather than focusing on a specified list of identifiers that must be removed.

A few commenters believed that no record of information about an individual can be truly de-identified and that all such information should be treated and protected as identifiable because more and more information about individuals is being made available to the public, such as voter registration lists and motor vehicle and driver's license lists, that would enable someone to match (and identify) records that otherwise appear to be not identifiable.

Response: In the final rule, we reformulate the method for de-identification to more explicitly use the statutory standard of "a reasonable basis to believe that the information can be used to identify the individual"- just as information is "individually identifiable" if there is a reasonable basis to believe that it can be used to identify the individual, it is "de-identified" if there is no reasonable basis to believe it can be so used. We also define more precisely how the standard should be applied.

We did not accept comments that suggested that we allow only one method of de-identifying information. We find support for both methods in the comments but find no compelling logic for how the competing interests could be met cost-effectively with only one method.

We also disagree with the comments that advocated using a standard which required removing only the direct identifiers. Although such an approach may be more convenient for covered entities, we judged that the resulting information would often remain identifiable, and its dissemination could result in significant violations of privacy. While we encourage covered entities to remove direct identifiers whenever possible as a method of enhancing privacy, we do not believe that the resulting information is sufficiently blinded as to permit its general dissemination without the protections provided by this rule.

We agree with the comments that said that records of information about individuals cannot be truly de-identified, if that means that the probability of attribution to an individual must be absolutely zero. However, the statutory standard does not allow us to take such a position, but envisions a reasonable balance between risk of identification and usefulness of the information.

We disagree with those comments that advocated releasing only truly anonymous information (which has been changed sufficiently so that it no longer represents actual information about real individuals) and those that supported using only sophisticated statistical analysis before allowing uncontrolled disclosures. Although these approaches would provide a marginally higher level of privacy protection, they would preclude many of the laudable and valuable uses discussed in the NPRM (in § 164.506(d)) and would impose too great a burden on less sophisticated covered entities to be justified by the small decrease in an already small risk of identification.

We conclude that compared to the alternatives advanced by the comments, the approach proposed in the NPRM, as refined and modified below in response to the comments, most closely meets the intent of the statute.

Comments: A few comments complained that the proposed standards were so strict that they would expose covered entities to liability because arguably no information could ever be de-identified.

Response: In the final rule we have modified the mechanisms by which a covered entity may demonstrate that it has complied with the standard in ways that provide greater certainty. In the standard method for de-identification, we have clarified the professional standard to be used, and anticipate issuing further guidance for covered entities to use in applying the standard. In the safe harbor method, we reduced the amount of judgment that a covered entity must apply. We believe that these mechanisms for de-identification are sufficiently well-defined to protect covered entities that follow them from undue liability.

Comments: Several comments suggested that the rule prohibit any linking of de-identified data, regardless of the probability of identification.

Response: Since our methods of de-identification include consideration of how the information might be used in combination with other information, we believe that linking de-identified information does not pose a significantly increased risk of privacy violations. In addition, since our authority extends only to the regulation of individually identifiable health information, we cannot regulate de-identified information because it no longer meets the definition of individually identifiable health information. We also have no authority to regulate entities that might receive and desire to link such information yet that are not covered entities; thus such a prohibition would have little protective effect.

Comments: Several commenters suggested that we create incentives for covered entities to use de-identified information. One commenter suggested that we mandate an assessment to see if de-identified information could be used before the use or disclosure of identified information would be allowed.

Response: We believe that this final rule establishes a reasonable mechanism for the creation of de-identified information and the fact that this de-identified information can be used without having to follow the policies, procedures, and documentation required to use individually identifiable health information should provide an incentive to encourage its use where appropriate. We disagree with the comment suggesting that we require an assessment of whether de-identified information could be used for each use or disclosure. We believe that such a requirement would be too burdensome on covered entities, particularly with respect to internal uses, where entire records are often used by medical and other personnel. For disclosures, we believe that such an assessment would add little to the protection provided by the minimum necessary requirements in this final rule.

Comments: One commenter asked if de-identification was equivalent to destruction of the protected health information (as required under several of the provisions of this final rule).

Response: The process of de-identification creates a new dataset in addition to the source dataset containing the protected health information. This process does not substitute for actual destruction of the source data.