0

Section 164.514(c) of the HIPAA of Privacy rules discusses re-identification of PHI.

If a covered entity or business associate successfully undertook an effort to identify the subject of de-identified information it maintained, the health information now related to a specific individual would again be protected by the Privacy Rule, as it would meet the definition of PHI. Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified is also considered a disclosure of PHI.

https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html

Under these rules, what is the possible purpose of de-identifying while retaining a method of re-identifying?

I could imagine someone wanting to store tightly secured HIPAA-protected information separately from less tightly secured non-HIPAA-protected information.

enter image description here

But the except says that the linking key is itself considered PHI. So the de-identified information (including its key) is no less HIPAA-protected PHI than the the original data.

Am I misunderstanding the security requirements here? It seems pointless to de-identifying while retaining the ability re-identifying since both data sets are treated as PHI anyway?

Paul Draper
  • 958
  • 8
  • 18
  • I think it says **do not** re-identify. It says it counts as PHI disclosure. – Future Security Nov 15 '18 at 19:17
  • @FutureSecurity, you could be correct in its intent, though if that's true, the section could have been *much* more explicit. – Paul Draper Nov 15 '18 at 19:27
  • Agreed. At a minimum I think it suggests if you leak a method of re-identifying stuff then you're just as responsible as if you leaked the original PHI itself. Tech people reading that document should probably consult law people as well as infosec people. (However I've thought of a concrete example of re-identification that makes sense.) – Future Security Nov 15 '18 at 19:50

1 Answers1

1

Note: I can't give legal advice. This is speculation. I'm not qualified in this area so I also don't know whether this is accurate.

I believe that it's common for clinics to draw patients' blood but send the sample to a third party lab for testing. The people doing blood tests don't need to know who the sample belongs to, but the doctor needs to know that information once they receive the results.

You could de-identify the source of a sample by replacing their name with a randomly generated number. The samples sent to the lab are (pseudo)anonymous. The lab should not be able to tell who a sample belongs to.*

When the doctors get back the test results they need to determine whose test results they are. They determine that by re-identifying. They replace the random number back with the patient's name. (Or ID number.)

I think the last part means that if you leak this mapping function or it's inverse, then it has to be treated as if you leaked the patient's name.

I see this is kind of similar to blind signature algorithms.

* But... what about DNA?

Future Security
  • 1,701
  • 6
  • 13
  • Sure, but according my quote doesn't HIPAA still consider the identifier (random though it may be) PHI? So they are transmitting PHI anyway, right? – Paul Draper Nov 17 '18 at 07:04
  • But using a random identifier in transit massively reduces risk of exposure. If the sample or result is lost, PHI is not actually exposed yet. – Geir Emblemsvag Apr 15 '19 at 05:26