Home Compliance StandardsHIPAA / Healthcare Industry Guide to Deidentified Patient Data Security
HIPAA / Healthcare Industry

Guide to Deidentified Patient Data Security

by RSI Security
written by RSI Security
pen test

Under the Health Insurance Portability and Accountability Act (HIPAA), the protected health information (PHI) of patients needs to be secured at all times. This includes personal information, such as names, birthdays, medical conditions, treatments, account numbers, Social Security numbers, and tech-related information (e.g., IP addresses, device serial numbers). However, deidentified patient data is exempt from this rule.

 

Patient Data Security at a Glance

Although deidentified patient data isn’t subject to the same safeguards as PHI, it still needs to be protected from external threats. The information is still valuable to your organization and usable in ongoing research, including investigations into emerging medical conditions and analyses of patient demographics. Therefore, it’s critical to secure this information according to modern standards.

To protect deidentified patient data, you’ll need to know:

  • The different types of healthcare data
  • How to de-identify patient information
  • How to protect deidentified data
  • The benefits of deidentified data
  • The risks of deidentified data

 

The Types of Healthcare Data

Current HIPAA guidelines maintain provisions for various types of data. This includes PHI, anonymized or deidentified patient data, and reidentified data.

 

Protected Health Information

According to HIPAA, there are 18 information identifiers that are used to constitute PHI. Although some could fit multiple categories, these datasets fall into one of three general groupings:

  • Personal identifiers – These identifiers include:
    • First and last names
    • Birthdates
    • Facility admission dates
    • Social Security numbers
    • Medical record or account numbers
    • Vehicle identifiers
    • Traditional photographs
  • Geographical identifiers – These identifiers include:
    • Home addresses
    • Telephone and fax numbers.

However, note that information regarding a patient’s state of residence is not considered a geographic identifier or PHI. 

  • Technological identifiers – These identifiers include:
    • Email addresses
    • IP addresses
    • Forms of biometric identification
    • Digital facial images

 

Request a Free Consultation

 

Deidentified and Anonymized Patient Data

Information that has been properly deidentified is considered anonymized according to HIPAA guidelines. Since this deidentified patient data cannot be linked to an individual, it’s no longer considered PHI and can be stored, processed, or transmitted as necessary. 

 

Reidentified Patient Data

Just like data can be deidentified for the purpose of anonymization, it can also be reidentified. This usually results in a combination of direct and indirect identifiers, which are sometimes capable of linking specific datasets to certain patients. Data is usually reidentified through one or more of the following methods:

  1. Undoing an insufficient or ineffective attempt to de-identify patient information
  2. Reversing the pseudonyms that were originally used to scrub the patient data
  3. Linking, combing, and collating various datasets and connecting the dots

Any reidentified data immediately becomes subject to HIPAA’s PHI safeguards once again, as threats of unauthorized use or disclosure resume.

planning

How To De-Identify Patient Data

The HIPAA Privacy Rule describes two methods for deidentifying patient data: expert determination following an assessment or scrubbing the 18 identifiers listed as PHI.

Either method can be used. 

 

Expert Determination

Covered entities can call on a qualified expert to determine whether or not a dataset is considered PHI. According to HIPAA, this must be a person with the appropriate level of knowledge and experience with modern scientific and statistical principles. 

The expert must also apply their knowledge to determine whether or not a dataset poses any risk of identifying an individual. If not, the data is effectively considered as deidentified patient data.

 

Safe Harbor

This method requires that all of the personal, geographical, and technological identifiers of an individual, or of their employers and relatives, are removed. This includes the 18 different information identifiers described by HIPAA, with the following exceptions: 

  • Geographical units that combine multiple ZIP codes with the same three starting digits that contain fewer than 20,000 people are not considered PHI as long as these three digits are changed to 000
  • Age-related data that is aggregated into a uniform category for patients aged 90 or older is not considered PHI

 

Protecting Deidentified Patient Data

While it’s not held to the same security standards as PHI, deidentified patient data should still be protected in many of the same ways.

 

Maintaining Security During Research

Anonymous data still needs to be protected during research. Common concerns include viruses and ransomware that could corrupt data or lock researchers out of their systems, competitor spying or sabotage, and having incomplete or inaccurate information released to the public. Apart from compromising data security, these issues also affect your public image and reputation.

When organizing studies and research that involves deidentified patient data, some organizations utilize a legally binding data sharing agreement (DSA). Also known as a data use agreement (DUA), this document clarifies the researcher’s role, their access privileges, and exactly how data should be used. Most DSAs expressly forbid data sharing and any attempts to identify individual patients.

 

Achieving Long-Term Data Security

Deidentified patient data that is stored or processed over prolonged periods should remain protected at all times. In this case, most of HIPAA’s recommendations of data protection will suffice, including those outlined in the HIPAA Security Rule.

The Security Rule covers the following regarding PHI protections:

  • Administrative safeguards – While ongoing risk management is still applicable, the most relevant controls here relate to identity and access management, BYOD (Bring Your Own Device) policies, and incident management.
  • Physical safeguards – These safeguards protect deidentified patient data by controlling physical access to systems, servers, databases, and devices that contain anonymous information.
  • Technical safeguards – This category includes firewalls, antivirus software, anti-malware tools, next-gen encryption, and the other apps that are used to protect your network from intruders.  

Although these strategies are not required, and failure to implement them for anonymous data will not result in any repercussions from HIPAA, they still provide a solid framework when securing your deidentified patient data.

Transferring Data Securely

Organizations are not required to observe HIPAA’s data encryption guidelines when storing or transferring deidentified patient data. Still, doing so helps ensure data integrity while keeping your data away from any unintended recipients but it helps ensure data integrity while keeping your data away from any unintended recipients. 

Current HIPAA guidelines recommend several encryption methods: 

  • Advanced Encryption Standard (AES-256)
  • Transport Layer Security (TLS)
  • OpenPGP (Pretty Good Privacy)
  • S/MIME (Secure/Multipurpose Internet Mail Extensions)

 

Understanding the Benefits of Deidentified Data

Organizations de-identify patient information for numerous reasons, including:

  • Data sharing and collaboration – Thanks to high-speed internet, healthcare professionals can collaborate and share anonymous data on a global basis, ultimately helping to speed drug discovery and new forms of treatment.
  • Organizational performance tracking – Organizations can evaluate their own performance in several areas, including tracking the popularity of specific health plans  within a particular region.
  • Demographic analysis – Hospitals and research facilities can use anonymous data to determine disease rates, treatment effectiveness, medical insurance coverage, and more. 

 

Examining the Risks of Deidentified Data

While there’s no denying that medical research poses a lesser threat to the public when using deidentified patient data, there are still some inherent privacy risks and concerns. 

  • The sharing or sale of anonymous data without consent – Although they’ve all been unsuccessful to date, numerous lawsuits have been started regarding the sale of deidentified patient data.
  • Malicious data reidentification – Numerous studies indicate that malicious data reidentification is unlikely, it’s still a possibility with modern technology. 
  • Lack of industry regulations – Since neither deidentified nor anonymous data is protected by HIPAA, they are left in a totally unregulated and unchecked state. As such, they can legally be used for nearly any purpose.  

 

Protecting All of Your Patient Data

Deidentified patient data can be stored, processed, and transmitted without having to observe the stringent data protection rules outlined in HIPAA.

For more information on deidentified, anonymized, or reidentified patient data, or to find out how to better protect your patients’ data, contact RSI Security today.

 

Request a Free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Basic Patient Data Rights Under HIPAA

March 19, 2021

HIPAA Violation 101: Penalties and How to Avoid...

May 14, 2023

What is the HIPAA Enforcement Rule?

March 23, 2021

Your HIPAA Security Rule Checklist

November 13, 2020

HIPAA Compliance Checklist: What You Need to Know

August 29, 2018

Healthcare Penetration Testing for HIPAA Compliance

March 19, 2021

How to Keep Your HIPAA Compliance Efforts Up...

May 24, 2019

HIPAA Security Rule Requirements for Covered Entities

March 21, 2024

Your Guide to HIPAA Breach Determination and Risk...

April 5, 2023

HIPAA Patient Data Security Requirements, Challenges, and Best...

April 28, 2022

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More