On November 26, 2012 Health and Human Services (HHS) Office for Civil Rights (OCR) issued “Guidance Regarding Methods for De-identification of Protected Health Information (PHI) in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule”.
This guidance outlines methods for de-identification of protected health information (PHI) when it is being used for secondary purposes.
Some other examples of secondary usage include:
Healthcare organizations that are considered covered entities and their business associates that create, store, transmit, or receive electronic PHI (ePHI) often use this data for some of the secondary purposes listed above. There is very convincing financial business case made for these organizations to anonymize and de-identify ePHI when using it for secondary purposes because improper anonymization or lack of anonymization can be very costly and contribute to data breaches
While external criminal attack is always a concerning source of data breach, studies have shown that the majority of data breaches are a result of criminal or negligent insiders (employees, contractors or other third parties) causing data breaches as a result of their malicious or careless actions. According to a 2015 study funded by IBM, the root cause of data breaches occurred based on the following percentages:
Some industries have higher average data breach cost than others. The overall mean data breach cost across all industries is $154 per effected individual. However, heavily regulated industries such as healthcare, education, pharmaceutical and financial services have a per individual data breach cost substantially above the overall mean:
Some of these costs include: Cost of breach notification - The cost of data breach notification can be quite high estimated at $200 per affected individual – 1. Multiply this by the number of records in your database and costs could add up to could a staggering amount. Lost business costs – Breach notification costs are actually relatively low compared with the costs associated with lost business. Lost business costs include:
The average lost business cost from data breach has increased from $1.45 Million per breach in 2014 to $1.57 million in 2015
Penalties from regulators performing HIPAA audits and inspections - Recent HIPAA audit findings have identified weakness in anonymization and de-identification practices. As a result, regulators are starting to look at anonymization practices during their audits and investigations can impose financial penalties.
The business cases for anonymization is compelling based on eliminating the need of breach notification alone. Couple that with the other cost factors and the business financial case is substantial.
Why Anonymize and De-identify
Sharing health data for the purpose of research can have many benefits including clinical effectiveness and quality of care improvements. However, this sharing must be done in a way that protects the individual’s privacy while still providing useful research data.
These beneficial research studies use information for what is considered secondary purposes because the data is not being used for the primary purpose of direct patient care. Unless patients have provided consent (which is often difficult or impractical to get) their personal information is protected and cannot be shared. However, if this information is anonymized and de-identified it is no longer considered PHI and the information is not subject to the HIPAA Privacy and Security Rules.
Please contact Info Incognito at your convenience for an initial consultation. We’ll work with your team to help secure your data and reduce your risk.
Call Today: (800) 871-9247