Safe Harbor Versus Expert Determination
The HIPAA Privacy Rule provides mechanisms for using and disclosing health data responsibly without the need for patient consent, or for situations where they can’t obtain consent. These mechanisms center on two HIPAA de-identification standards – Safe Harbor and the Expert Determination Method. Safe Harbor relies on the removal of specific patient identifiers while the Expert Determination Method requires knowledge and experience with generally accepted statistical and scientific principles and methods to render information not individually identifiable.
To really understand the difference between the two, you need to understand two terms: direct identifier and indirect or quasi-identifier. Direct identifiers are fields that can uniquely identify individuals, such as names, Social Security Numbers (SSN) and email addresses. In contrast, quasi-identifiers are fields that cannot immediately identify individuals but when linked with other identifiers increased the risk of individual re-identification exponentially. Examples of quasi-identifiers include dates, demographic information (such as race and ethnicity), and socioeconomic variables (occupation, salary).
HIPAA’s Safe Harbor is primarily concerned with 18 different types of criteria, which have the potential to increase the risk of re-identification. Sixteen of the 18 criteria are classified as direct identifiers and include name, telephone number, and Social Security Number. The last two are known as quasi-identifiers and include date and geography. “16 + 2” is a quick shortcut to remember Safe Harbor.
Because of its simplicity, Safe Harbor is popular. Many tools are available on the market that allow organizations to quickly implement Safe Harbor at relatively low cost.
But the devil is in the details. Quasi-identifiers can be used to re-identify individuals in a dataset. They are also incredibly useful for data analysis. Safe Harbor’s focus on direct identifiers not only increases the risk of re-identification, but limits access to meaningful data analysis for secondary purposes.
The second mechanism of HIPAA’s Privacy Rule is known as the Expert Determination method. It handles both direct and indirect identifiers, and it is primarily concerned with risk and risk measurement. While this isn’t a deep dive on Expert Determination (De-Identification University is full of content on the topic), consider the difference between Safe Harbor and Expert Determination as a half a solution versus a complete solution. The Expert Determination method is a risk management exercise that incorporates both direct and quasi-identifiers. It satisfies both the need to protect the identity of individuals, while allowing organizations deep analysis on data used for secondary use.
For this reason, many organizations in the United States, Canada and Europe, including the HITRUST Alliance and Institute of Medicine, have adopted the Expert Determination method as the chosen approach to de-identify health data.
- One Year In: How the Opening of Health Canada’s Portal Affects YouMay 4, 2020
- Turn Data Assets into Business Opportunity Under CCPADecember 19, 2019
- How does risk-based anonymization work?December 18, 2019
- Why should I use Expert Determination over Safe Harbor?December 18, 2019
- What do I need to know about GDPR, HIPAA and CCPA to meet our regulatory and privacy obligations?December 18, 2019
- Putting our passion into action against COVID-19April 15, 2020
- GDPR and The Future of Clinical Trials Data SharingMarch 18, 2019
- Advancing Principled Data Practices in Support of Emerging TechnologiesMarch 15, 2019
- “Zero Risk Does Not Exist”February 7, 2019
- Is Anonymization Possible with Current Technologies?January 9, 2019