Under the Health Insurance Portability and Accountability Act (HIPAA), the protected health information (PHI) of patients needs to be secured at all times. This includes personal information, such as names, birthdays, medical conditions, treatments, account numbers, Social Security numbers, and tech-related information (e.g., IP addresses, device serial numbers). However, deidentified patient data is exempt from this rule.
Patient Data Security at a Glance
Although deidentified patient data isn’t subject to the same safeguards as PHI, it still needs to be protected from external threats. The information is still valuable to your organization and usable in ongoing research, including investigations into emerging medical conditions and analyses of patient demographics. Therefore, it’s critical to secure this information according to modern standards.
To protect deidentified patient data, you’ll need to know:
- The different types of healthcare data
- How to de-identify patient information
- How to protect deidentified data
- The benefits of deidentified data
- The risks of deidentified data
The Types of Healthcare Data
Current HIPAA guidelines maintain provisions for various types of data. This includes PHI, anonymized or deidentified patient data, and reidentified data.
Protected Health Information
According to HIPAA, there are 18 information identifiers that are used to constitute PHI. Although some could fit multiple categories, these datasets fall into one of three general groupings:
- Personal identifiers – These identifiers include:
- First and last names
- Facility admission dates
- Social Security numbers
- Medical record or account numbers
- Vehicle identifiers
- Traditional photographs
- Geographical identifiers – These identifiers include:
- Home addresses
- Telephone and fax numbers.
However, note that information regarding a patient’s state of residence is not considered a geographic identifier or PHI.
- Technological identifiers – These identifiers include:
- Email addresses
- IP addresses
- Forms of biometric identification
- Digital facial images
Deidentified and Anonymized Patient Data
Information that has been properly deidentified is considered anonymized according to HIPAA guidelines. Since this deidentified patient data cannot be linked to an individual, it’s no longer considered PHI and can be stored, processed, or transmitted as necessary.
Reidentified Patient Data
Just like data can be deidentified for the purpose of anonymization, it can also be reidentified. This usually results in a combination of direct and indirect identifiers, which are sometimes capable of linking specific datasets to certain patients. Data is usually reidentified through one or more of the following methods:
- Undoing an insufficient or ineffective attempt to de-identify patient information
- Reversing the pseudonyms that were originally used to scrub the patient data
- Linking, combing, and collating various datasets and connecting the dots
Any reidentified data immediately becomes subject to HIPAA’s PHI safeguards once again, as threats of unauthorized use or disclosure resume.
How To De-Identify Patient Data
The HIPAA Privacy Rule describes two methods for deidentifying patient data: expert determination following an assessment or scrubbing the 18 identifiers listed as PHI.
Either method can be used.
Covered entities can call on a qualified expert to determine whether or not a dataset is considered PHI. According to HIPAA, this must be a person with the appropriate level of knowledge and experience with modern scientific and statistical principles.
The expert must also apply their knowledge to determine whether or not a dataset poses any risk of identifying an individual. If not, the data is effectively considered as deidentified patient data.
This method requires that all of the personal, geographical, and technological identifiers of an individual, or of their employers and relatives, are removed. This includes the 18 different information identifiers described by HIPAA, with the following exceptions:
- Geographical units that combine multiple ZIP codes with the same three starting digits that contain fewer than 20,000 people are not considered PHI as long as these three digits are changed to 000
- Age-related data that is aggregated into a uniform category for patients aged 90 or older is not considered PHI
Protecting Deidentified Patient Data
While it’s not held to the same security standards as PHI, deidentified patient data should still be protected in many of the same ways.
Maintaining Security During Research
Anonymous data still needs to be protected during research. Common concerns include viruses and ransomware that could corrupt data or lock researchers out of their systems, competitor spying or sabotage, and having incomplete or inaccurate information released to the public. Apart from compromising data security, these issues also affect your public image and reputation.
When organizing studies and research that involves deidentified patient data, some organizations utilize a legally binding data sharing agreement (DSA). Also known as a data use agreement (DUA), this document clarifies the researcher’s role, their access privileges, and exactly how data should be used. Most DSAs expressly forbid data sharing and any attempts to identify individual patients.
Achieving Long-Term Data Security
Deidentified patient data that is stored or processed over prolonged periods should remain protected at all times. In this case, most of HIPAA’s recommendations of data protection will suffice, including those outlined in the HIPAA Security Rule.
The Security Rule covers the following regarding PHI protections:
- Administrative safeguards – While ongoing risk management is still applicable, the most relevant controls here relate to identity and access management, BYOD (Bring Your Own Device) policies, and incident management.
- Physical safeguards – These safeguards protect deidentified patient data by controlling physical access to systems, servers, databases, and devices that contain anonymous information.
- Technical safeguards – This category includes firewalls, antivirus software, anti-malware tools, next-gen encryption, and the other apps that are used to protect your network from intruders.
Although these strategies are not required, and failure to implement them for anonymous data will not result in any repercussions from HIPAA, they still provide a solid framework when securing your deidentified patient data.
Transferring Data Securely
Organizations are not required to observe HIPAA’s data encryption guidelines when storing or transferring deidentified patient data. Still, doing so helps ensure data integrity while keeping your data away from any unintended recipients but it helps ensure data integrity while keeping your data away from any unintended recipients.
Current HIPAA guidelines recommend several encryption methods:
- Advanced Encryption Standard (AES-256)
- Transport Layer Security (TLS)
- OpenPGP (Pretty Good Privacy)
- S/MIME (Secure/Multipurpose Internet Mail Extensions)
Understanding the Benefits of Deidentified Data
Organizations de-identify patient information for numerous reasons, including:
- Data sharing and collaboration – Thanks to high-speed internet, healthcare professionals can collaborate and share anonymous data on a global basis, ultimately helping to speed drug discovery and new forms of treatment.
- Organizational performance tracking – Organizations can evaluate their own performance in several areas, including tracking the popularity of specific health plans within a particular region.
- Demographic analysis – Hospitals and research facilities can use anonymous data to determine disease rates, treatment effectiveness, medical insurance coverage, and more.
Examining the Risks of Deidentified Data
While there’s no denying that medical research poses a lesser threat to the public when using deidentified patient data, there are still some inherent privacy risks and concerns.
- The sharing or sale of anonymous data without consent – Although they’ve all been unsuccessful to date, numerous lawsuits have been started regarding the sale of deidentified patient data.
- Malicious data reidentification – Numerous studies indicate that malicious data reidentification is unlikely, it’s still a possibility with modern technology.
- Lack of industry regulations – Since neither deidentified nor anonymous data is protected by HIPAA, they are left in a totally unregulated and unchecked state. As such, they can legally be used for nearly any purpose.
Protecting All of Your Patient Data
Deidentified patient data can be stored, processed, and transmitted without having to observe the stringent data protection rules outlined in HIPAA.
For more information on deidentified, anonymized, or reidentified patient data, or to find out how to better protect your patients’ data, contact RSI Security today.