The increasing adoption of information technology in the healthcare sector accelerates the potential to facilitate fruitful new insights emerging from large datasets and complex sources. Laws protecting health data privacy, backed by de-identification processes, enable secondary use of health data in a secure manner and without jeopardizing individuals' right to privacy.
What is health information privacy law about?
The legislation that applies to health information privacy was designed to address very complex issues related to the collection, use, and disclosure of personal health information by those who have custody of it.
The law requires medical professionals and health or insurance plans to protect the privacy of patient information. In this way, its use or disclosure, whether intentional or unintentional, is prevented, as long as it has not been previously justified.
The objective is to maximize the level of protected health information without compromising the benefits of being able to collect, use and disclose personal health information for purposes beyond the individual's care, but which are socially beneficial.
What is HIPAA and who is covered by the HIPAA privacy law?
The Health Insurance Portability and Accountability Act (HIPAA) emerged as a measure that establishes common standards for protecting individuals' medical records and other individually identifiable health information.
It applies to health plans, healthcare clearinghouses and any healthcare provider that conducts electronic transactions containing personal data, commonly referred to as "personal health information."
Protected health information is typically contained in documents such as diagnoses, medical test results, prescriptions and treatments, and includes national identification numbers, dates of birth and contact information, among others.
Recommended content: How to find the perfect partner for technical translation?
How to comply with HIPAA requirements regarding data anonymization?
Those entities subject to the HIPAA Security Rule may not use or disclose protected health information unless (1) permitted or required by the rule itself; or (2) authorized in writing by the individual who is the subject of the information or, failing that, their personal representative.
On the other hand, these entities should only disclose personal health information upon request if requested by (1) the subject of the information or their representative; or (2) the public department of health and human services.
The HIPAA Security Rule permits entities to use information as long as it is intended for their own processing, payment or other operations; authorized by or intended for the individuals to whom it pertains; appropriately protected; or for purposes beneficial to the public interest.
First and foremost, entities should rely on professional ethics and their good judgment when using protected health information in a moral, honest, and responsible manner.
De-identification and anonymization of data under HIPAA
The de-identification of data is the most secure way to preserve the privacy of any identifiable information. For this reason, there are no HIPAA restrictions imposed on the use or disclosure of de-identified data, as it is no longer considered protected health information.
Through anonymization techniques, irreversible de-identification is obtained that does not identify or provide a basis for identifying individuals. This technique can be carried out either by a qualified statistician, or manually by removing any trace of specific identifiers, either of an individual or third parties.
You might be interested in: Ensuring quality medical translations according to the new MDR and IVDR regulations
Guidelines for data de-identification and anonymization
To achieve data de-identification in accordance with HIPAA privacy regulations, we propose a series of aspects to be taken into account when carrying out either of the two methods available and previously mentioned.
The statistical method
The statistical method, also known as "expert determination", requires a person with appropriate knowledge and proven experience working with generally accepted scientific principles and methods.
These principles and methods must be applied and the risk that the information may identify the subject must be determined as minimal. In addition, the methods and results of the analysis must be documented in a manner that justifies such a determination.
The safe harbor method
The manual method, also known as "safe harbor," removes up to 18 types of identifiers applicable to the individual, family members, employers or household members of the individual. These include names, geographic subdivisions, dates, phone numbers, vehicle identifiers, account numbers, IPs, URLs and face images among others.
Once the process is completed, the covered entity should be sure that the information cannot be used, alone or in combination with other information, to identify the subject.