On November 26, 2012, the Department of Health and Human Services (“DHHS”) issued new guidance on the de-identification of protected health information (“PHI”). Its intent was to explain and answer questions regarding two methods of de-identification, the so-called “expert determination,” and the safe harbor. In the former, a qualified expert determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify the subject of the information. In the safe harbor, 18 types of identifiers must be removed, and the covered entity must not have any actual knowledge that such remaining information could identify an individual.

Once the covered entity has satisfied either of these two standards, the information is no longer PHI, and HIPAA does not apply.

HIPAA permits re-identification, such as by the use of a code that is not derived from the information that is not otherwise capable of being translated so as to identify the individual. The covered entity must not disclose the code.

Following a discussion of the above issues, the guidance provides information on the two methods in the form of questions and answers. Figure 2 depicts a general workflow for making the expert determination. Table 1 provides helpful principles for the expert to use in making the determination.

Guidance on satisfying the safe harbor method follows. Of interest is the discussion of zip codes. The safe harbor requires the following for zip codes: removal of the first three initial digits if the zip code contains more than 20,000 people or changing to 000 the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people. The guidance notes that patient initials or the last four digits of a Social Security number would not be de-identified. For that and other guidance, DHHS provides examples that are helpful.