Industry News

OCR Explains Methods for De-Identifying PHI

The Department of Health and Human Services Office for Civil Rights (OCR) issued guidance to providers on methods to de-identify protected health information (PHI) in health records. The Health Information Portability and Accountability Act of 1996 (HIPAA) requires covered entities to remove PHI before sharing health information for research, policy assessments, and other secondary purposes. De-identification is the process of removing PHI to ensure the health information does not identify an individual. The Privacy Rule specifies two methods to de-identify health records, an expert determination method, or the safe harbor method.

The expert determination method requires an expert to use statistical and scientific methods to determine that the risk of re-identifying PHI in the health records is low. Alternatively, the safe harbor method requires covered entities to remove 18 types of PHI identifiers. Examples of the identifiers include names, dates, medical record numbers, and full-face photographs. HIPAA covered entities should review the OCR information for further guidance on complying with HIPAA de-identify standards.

The OCR guidance document on de-identification methods is available at:

“Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.” Nov. 2012. Department of Health and Human Services Office for Civil Rights. 28 Nov. 2012.