More than two dozen frequently asked questions explain the two methods--Expert Determination and Safe Harbor--that satisfy the privacy rule’s standards for de-identification. “This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification,” according to OCR.
The Expert Determination method is defined as:
“(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination.”
The Safe Harbor method involves the removal of dozens of identifiers of the individual, relatives, other household members of the individual and employers. For instance, the removal of just one identifier--dates-- includes: “All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.”
The American Recovery and Reinvestment Act of 2009 mandated creation of the guidance, available here.