Safe Harbor Versus Expert Determination

The HIPAA Privacy Rule provides mechanisms for using and disclosing health data responsibly without the need for patient consent, or for situations where they can’t obtain consent. These mechanisms center on two HIPAA de-identification standards – Safe Harbor and the Expert Determination Method. Safe Harbor relies on the removal of specific patient identifiers while the Expert Determination Method requires knowledge and experience with generally accepted statistical and scientific principles and methods to render information not individually identifiable.

To really understand the difference between the two, you need to understand two terms: direct identifier and indirect or quasi-identifier. Direct identifiers are fields that can uniquely identify individuals, such as names, Social Security Numbers (SSN) and email addresses. In contrast, quasi-identifiers are fields that cannot immediately identify individuals but when linked with other identifiers increased the risk of individual re-identification exponentially. Examples of quasi-identifiers include dates, demographic information (such as race and ethnicity), and socioeconomic variables (occupation, salary).

HIPAA’s Safe Harbor is primarily concerned with 18 different types of criteria, which have the potential to increase the risk of re-identification. Sixteen of the 18 criteria are classified as direct identifiers and include name, telephone number, and Social Security Number. The last two are known as quasi-identifiers and include date and geography. “16 + 2” is a quick shortcut to remember Safe Harbor.

Because of its simplicity, Safe Harbor is popular. Many tools are available on the market that allow organizations to quickly implement Safe Harbor at relatively low cost.

But the devil is in the details. Quasi-identifiers can be used to re-identify individuals in a dataset. They are also incredibly useful for data analysis. Safe Harbor’s focus on direct identifiers not only increases the risk of re-identification, but limits access to meaningful data analysis for secondary purposes.

The second mechanism of HIPAA’s Privacy Rule is known as the Expert Determination method. It handles both direct and indirect identifiers, and it is primarily concerned with risk and risk measurement. While this isn’t a deep dive on Expert Determination (De-Identification University is full of content on the topic), consider the difference between Safe Harbor and Expert Determination as a half a solution versus a complete solution. The Expert Determination method is a risk management exercise that incorporates both direct and quasi-identifiers. It satisfies both the need to protect the identity of individuals, while allowing organizations deep analysis on data used for secondary use.

For this reason, many organizations in the United States, Canada and Europe, including the HITRUST Alliance and Institute of Medicine, have adopted the Expert Determination method as the chosen approach to de-identify health data.

@swehbe

Free Webinar: De-Identification 101

Join Privacy Analytics for a high level introduction of de-identification and data masking.
Watch now

Free Download: De-Id 101

You have Successfully Subscribed!