Regulatory Compliance

​On November 26, 2012 Health and Human Services (HHS) Office for Civil Rights (OCR) issued “Guidance Regarding Methods for De-identification of Protected Health Information (PHI) in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule”.

This guidance outlines methods for de-identification of protected health information (PHI) when it is being used for secondary purposes. 

Some other examples of secondary usage include:

  • Publishing results of publicly funded clinical trials or other government data
  • Performing analytics on data that is contained within a data warehouse
  • Collections of site specific health related data that is loaded into a centralized repository for the purpose of disease surveillance, monitoring compliance, and service planning
  • Patient data captured from medical devices and collected in a centralized repository
  • Internal and outsourced software development and quality assurance testing teams often utilizes data from production environments for the purpose of functional and performance testing

Healthcare organizations that are considered covered entities and their business associates that create, store, transmit, or receive electronic PHI (ePHI) often use this data for some of the secondary purposes listed above. There is very convincing financial business case made for these organizations to anonymize and de-identify ePHI when using it for secondary purposes because improper anonymization or lack of anonymization can be very costly and contribute to data breaches

Data Breach 

​While external criminal attack is always a concerning source of data breach, studies have shown that the majority of data breaches are a result of criminal or negligent insiders (employees, contractors or other third parties) causing data breaches as a result of their malicious or careless actions. According to a 2015 study funded by IBM, the root cause of data breaches occurred based on the following percentages: 

  • ​Malicious insiders or criminal attack – 47%
  • System glitches – 29%
  • Human error – 25% 

​Some industries have higher average data breach cost than others. The overall mean data breach cost across all industries is $154 per effected individual. However, heavily regulated industries such as healthcare, education, pharmaceutical and financial services have a per individual data breach cost substantially above the overall mean:

  • ​Financial Services - $215
  • Pharmaceuticals - $220
  • Education - $300
  • Healthcare - $363

Some of these costs include: Cost of breach notification - The cost of data breach notification can be quite high estimated at $200 per affected individual – 1. Multiply this by the number of records in your database and costs could add up to could a staggering amount. Lost business costs – Breach notification costs are actually relatively low compared with the costs associated with lost business. Lost business costs include:

  • ​Abnormal turnover of customers
  • Increased customer acquisition activities
  • Reputation losses
  • Diminished good will 

​The average lost business cost from data breach has increased from $1.45 Million per breach in 2014 to $1.57 million in 2015

​Penalties from regulators performing HIPAA audits and inspections - Recent HIPAA audit findings have identified weakness in anonymization and de-identification practices. As a result, regulators are starting to look at anonymization practices during their audits and investigations can impose financial penalties.

The business cases for anonymization is compelling based on eliminating the need of breach notification alone. Couple that with the other cost factors and the business financial case is substantial.

Why Use De-Identification Services?

Why Anonymize and De-identify

  • Contribute to advancements and improvements in overall population health
  • Protect the privacy of individuals
  • Meet federal regulatory requirements including HIPAA, FERPA, GLBA, PCI/DSS, and others
  • Reduce the risks, costs, and damage caused by data breach

Sharing health data for the purpose of research can have many benefits including clinical effectiveness and quality of care improvements. However, this sharing must be done in a way that protects the individual’s privacy while still providing useful research data. 

These beneficial research studies use information for what is considered secondary purposes because the data is not being used for the primary purpose of direct patient care. Unless patients have provided consent (which is often difficult or impractical to get) their personal information is protected and cannot be shared. However, if this information is anonymized and de-identified it is no longer considered PHI and the information is not subject to the HIPAA Privacy and Security Rules.

Please contact Info Incognito at your convenience for an initial consultation. We’ll work with your team to help secure your data and reduce your risk. 

​Call Today: (800) 871-9247

Anonymization at Your Fingertips

(800) 871-9247