CHHS Data De-identification Guidelines · CHHS Data De-identification Guidelines ... department wants to create a department DDG: must have appropriate references to departmental

CHHS Data

De-identification Guidelines

Public Health Law Summit

March 24, 2017

1

Purpose

Data de-identification practices will be

implemented by each department and office

CHHS DDG is the default policy for CHHS

departments

If a CHHS department wants to create a

department DDG:

must have appropriate references to departmental

processes

must file a copy of their DDG with the Office of the

Agency Information Officer (OAIO) for review

2

March 24, 2017

CHHS DDG Addresses

Overlap with Personal Characteristics

3

March 24, 2017

Overview of De-identification Process

1. Does the data include personal characteristics

2. If personal characteristics, assess for small numerators or

denominators

3. If small numerators or denominators, assess potential risk of data

release

4. If potential risk, assess need to apply statistical masking

5. Following statistical de-identification, data release is reviewed by

legal if indicated in departmental procedures

6. After statistical de-identification, final review and approval based on

program and policy criteria pursuant to departmental procedures

4

March 24, 2017

Data Assessment for

Public Release

Procedure

Specifics of Steps 5 and

6 need to be identified

by departments to be

consistent with

departmental policies

and procedures

5

Step 1:

Personal Characteristics of Individuals Examples of data that may

inherently include personal

characteristics

Hospitals / Facilities:

General Acute Care – NO

Children’s Facility – YES

Populations by Aid Code

Categorically Needy – NO

Foster Care – YES

Expenditures

Projected – NO

Actuals by Program (eg

Children’s Services) – YES

Examples of data that do NOT

generally inherently include

personal characteristics

Diseases & Conditions

Facilities and Services

Healthcare Utilization

Workforce

Environmental

Resources

6

March 24, 2017

Step 2: Numerator – Denominator Condition

A minimum cell size is set for the Numerator

A minimum value is set for the Denominator

Both the minimum cell size for the numerator and

denominator must be met

CHHS has identified a minimum value of:

11 for the numerator

20,000 for the denominator

7

March 24, 2017

Step 3: Assessing Risk with the

Publication Scoring Criteria

Quasi-identifiers

Ages / Age Groups

Sex

Gender

Race

Ethnicity

Language Spoken

Education**

Occupation**

Modified Identifiers*

Number of Events

Time / Reporting Periods

Residence Geography

Service Geography

* Time that includes dates more specific

than a year and geography more specific

than the state are identifiers

** May be treated as “Other Variable” or

may be added as a Variable in the

Publication Scoring Criteria if used routinely

8

March 24, 2017

Figure 6: Publication Scoring Criteria Variable Characteristics Score

Events (Numerator) 1000+ events in a specified population +2

100-999 events +3

11-99 events +5

<11 events +7

Sex Male or Female +1

Age Range >10-year age range +2

6-10 year age range +3



Race Group White, Asian, Black or African American +2

White, Asian, Black or African American, American Indian or Alaska Native,

Native Hawaiian or Other Pacific Islander, Mixed

+3

Detailed Race +4

Ethnicity Hispanic or Latino - yes or no +2

Detailed ethnicity +4

Race/Ethnicity Combined This applies when race and ethnicity are collected in a single data field

White, Asian, Black or African American, Hispanic or Latino +2

White, Asian, Black or African American, Hispanic or Latino, American Indian

or Alaska Native, Native Hawaiian or Other Pacific Islander, Mixed

+3

Detailed Race/Ethnicity +4

Language Spoken English, Spanish, Other Language +2

Detailed Language +4

9

March 24, 2017

Time – Reporting Period 5 years aggregated -5

2-4 years aggregated -3

1 year (e.g., 2001) 0

Bi-Annual +3

Quarterly +4

Monthly +5

Residence Geography* State or geography with population >2,000,000 -5

Population 1,000,001 - 2,000,000 -3

Population 560,001 - 1,000,000 -1

Population 250,000 - 560,000 0

Population 100,000 - 250,000 +1

Population 50,001 - 100,000 +3

Population 20,001 - 50,000 +4

Population ≤ 20,000 +5

Service Geography* State or geography with population >2,000,000 -5

Population 1,000,001 - 2,000,000 -4

Population 560,001 - 1,000,000 -3

Population 250,000 - 560,000 -1

Population of reporting region 20,001 - 250,000 0

Population of reporting region ≤20,000 +1

Address (Street and ZIP) +3

Variable Interactions Only Events (minimum of 5), Time, and Geography (Residence or Service) -5

Only Events (minimum of 3), Time, and Geography (Residence or Service) -3

Only Events (no minimum), Time, and Geography (Residence or Service) 0

Events, Time, and Geography (Residence or Service) + 1 variable +1



* If the geography of the reporting is based on the residence of the individual, use the “Residence Geography”. If the

geography of the reporting is based on the location of service, use the “Service Geography”.

10

March 24, 2017

Step 4: Statistical Masking

Reduce Table Dimensions

Reduce Granularity of Variable(s), aka Recoding or

Aggregation

Cell Suppression and Complementary Cell Suppression

Methods discussed in the “Statistical Policy Working

Paper 22 (Second version, 2005), Report on Statistical

Disclosure Limitation Methodology”

11

March 24, 2017

Assess Potential Risk

Publication Scoring Criteria – Default Method

Alternative Methods (Section 6.3)

Ohio Department of Health published a Data Methodology

Standards for Public Health Practice that performs data

suppression when the table denominator value minus the table

numerator value is less than 10

Washington State Department of Health published Guidelines for

Working with Small Numbers that discusses the use of relative

standard error (RSE) to assess reliability of data in addition to

steps to take protect confidentiality

Colorado Department of Public Health and Environment

published Guidelines for Working with Small Numbers

12

March 24, 2017

Approval Processes – Section 7

Statistical Review to Assess De-identification (for HIPAA

entities this may be an Expert Determination Review)

Legal Review

Departmental Release Procedures

Public Affairs

PRA Processes

Etc.

13

March 24, 2017

DDG Governance

Data Subcommittee with support from the Risk

Management Subcommittee

Peer Review Team - include individuals with the

following background and experience

Knowledge of and experience with generally accepted

statistical and scientific principles and methods for

rendering information not individually identifiable

Knowledge of and experience with legal principles

associated with data de-identification in compliance

with California IPA and HIPAA

14

March 24, 2017

California Health and Human Services Agency

Data Playbook

Each play contains data strategies, approaches and

actions a Department may use to administer programs and

address policy issues

1. Define: goals & objectives

2. Assess: tools & capabilities

3. Implement: plan & strategy

4. Evaluate: outcomes & impacts

5. Share: progress & results

https://chhsdata.github.io/dataplaybook/

15

March 24, 2017


California Health and Human Services Agency

Data Playbook

Includes data and visualizations from

12 CHHS departments and offices

152k total users since Nov 2014

93k users in 2016; avg. ~8k/mo

233+ total datasets published

chhs.data.ca.gov

datanews.chhs.ca.gov

16

March 24, 2017

http://chhs.data.ca.gov/

http://datanews.chhs.ca.gov/

CHHS Open Data Being used by CHHS programs, the press, data consumers, and the community

Convert PDF Reports to Open Data Tables

Drive Traffic and Expand Program Exposure

Source Data Stories

Create API-Driven Web Visualizations

Create API-Driven Web Apps

Match Identifiers and Link Datasets

Engage The Public with Code-A-Thon Events

Crowdsource Data Hygiene

17

March 24, 2017

DHCS on the

Open Data

Portal: Create

API-Driven Web

Visualizations

http://www.dhcs.ca.gov/

dataandstats

18

March 24, 2017

http://www.dhcs.ca.gov/dataandstats/Pages/default.aspx



For More Information

Open Data Handbook

https://chhsdata.github.io/opendatahandbook/

Data Playbook


CHHS Intranet (AIO page)

http://chhsa.ca.gov/activities/Pages/default.aspx

For more information, contact [email protected]

19

March 24, 2017








mailto:[email protected]

20

Page 1 March 17, 2017

Resources

De-Identification of Health Data: Law and Practice

1. The U.S. Department of Health and Human Services, Office for Civil Rights, hosts a comprehensive website regarding the HIPAA Privacy Rule that includes many useful guidance documents, tools and training materials regarding HIPAA privacy and security regulations. The website is at http://www.hhs.gov/ocr/privacy.

§ Materials focused on public health can be found here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/publichealth/index.html.

o See especially, “HIPAA Privacy Rule and Public Health, Guidance from CDC and the U.S. Department of Health and Human Services” at http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm.

o See also, FAQs regarding Public Health Uses and Disclosures at http://www.hhs.gov/hipaa/for-professionals/faq/public-health-uses-and-disclosures.

§ For “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” go to http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.

2. De-identification resources and tools:

§ National Institute of Standards and Technology (NIST) De-Identification Home Page at https://www.nist.gov/itl/iad/deidentificationnistgov. NIST resources include:

o NISTIR 8053, De-Identification of Personal Information (2015), available at http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf.

o DRAFT NIST Special Publication 800-188, De-Identifying Government Datasets (2016), available at http://csrc.nist.gov/publications/drafts/800-188/sp800_188_draft.pdf.

§ Hearing materials, “De-Identification and the Health Insurance Portability and Accountability Act (HIPAA),” Subcommittee on Privacy, Confidentiality & Security, National Committee on Vital and Health Statistics, May 24-25, 2016, available at http://www.ncvhs.hhs.gov/meeting-calendar/agenda-of-the-may-24-25-2016-ncvhs-subcommittee-on-privacy-confidentiality-security-hearing/. Report of hearing at http://www.ncvhs.hhs.gov/wp-content/uploads/2016/04/PCS-Report_June-15-mab.pdf.


§ Toolkit for Communities Using Health Data: How to collect, use, protect, and share data responsibly (May 2015), National Committee on Vital and Health Statistics (NCVHS), available at http://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/Toolkit-for-Communities.pdf. Section on de-Identification begins on page 39.

§ A Visual Guide to Practical De-Identification, produced by the Future of Privacy Forum, available at https://fpf.org/wp-content/uploads/2016/04/FPF_Visual-Guide-to-Practical-Data-DeID.pdf.

§ Public Health Data Dissemination Guidelines: NAHDO Working Technical Paper Series (July 2005), available at https://www.nahdo.org/sites/nahdo.org/files/Resources/Data_Release_Access_and_Pricing/PH%20Data%20Dissemination%20Guidelines-2005.pdf. (note: may need to copy and paste link into browser)

§ Guidance Document on Creating and Releasing Hospital and Facility Discharge Data Public Use Files (January 2012), available at https://www.nahdo.org/sites/nahdo.org/files/publications/PUF%20Guidance%20Doc%20Final.pdf. (note: may need to copy and paste link into browser)

§ De-Identification University, de-identification-related white papers, webinars and other materials developed by Privacy Analytics, a Canadian software company, available at http://www.privacy-analytics.com/de-id-university.

§ Rudolph B, Shah G, and Love D. "Small Numbers, Disclosure Risk, Security, and Reliability Issues in Web-based Data Query Systems." J. Public Health Management Practice, 2006, 12(2), 176-183. Abstract at http://journals.lww.com/jphmp/Abstract/2006/03000/Small_Numbers,_Disclosure_Risk,_Security,_and.10.aspx.

3. Sample policies and procedures for release of data that are available on-line:

§ California Open Data Handbook https://chhsdata.github.io/opendatahandbook/ and Data Playbook https://chhsdata.github.io/dataplaybook/.

§ New Hampshire Division of Public Health Services, Health Statistics and Data Management Section, Guidelines for the Public Release of Public Health Data (provisional), available at http://www.dhhs.nh.gov/dphs/hsdm/documents/publichealthdata.pdf.

§ Washington State Department of Health, Guidelines for Working with Small Numbers, available at http://www.doh.wa.gov/portals/1/documents/5500/smallnumbers.pdf.

4. Research resources and tools:

§ Office for Human Research Protections website http://www.hhs.gov/ohrp. See, for example, Guidance on Research Using Coded Private Information or Specimens (2008) available at http://www.hhs.gov/ohrp/regulations-and-policy/guidance/research-involving-coded-private-information.

§ Gliklich R, Dreyer N, Leavy M, eds. Registries for Evaluating Patient Outcomes: A User's Guide. Third edition. Two volumes. (Prepared by the Outcome DEcIDE Center [Outcome Sciences, Inc., a Quintiles company] under Contract No. 290 2005 00351 TO7.) AHRQ Publication No. 13(14)-EHC111. Rockville, MD: Agency for Healthcare Research and Quality. April 2014. Table of contents at http://www.ncbi.nlm.nih.gov/books/NBK208616. Especially see, Section II - Legal and Ethical Considerations for Registries and Section IV - Technical, Legal, and Analytic Considerations for Combining Registry Data With Other Data Sources.


5. Open Records / Freedom of Information Laws (FOI). • OCR response to FAQ: How does the HIPAA Privacy Rule relate to state public records or

freedom of information laws? Available at http://www.hhs.gov/hipaa/for-professionals/faq/506/how-does-the-hipaa-rule-relate-to-freedom-of-information-laws/index.html.

• The HIPAA Privacy Rule Preamble in the Federal Register, Vol. 64, No. 250 (Dec. 28, 2000), discusses how the HIPAA Privacy Rule relates to the federal Freedom of Information Act and various other federal laws. Available at https://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf. (See pages 82481-82487).

• The Reporters Committee for Freedom of the Press provides links to open records laws for the federal government and all states and tools to compare FOI laws at http://www.rcfp.org/browse-legal-resources/guides. Especially see, Open Government Guide (6th Edition, 2011), a state-by-state guide to open meetings and open records laws, available at http://www.rcfp.org/open-government-guide.

• The National Freedom of Information Coalition provides materials on federal and state open records laws. http://www.nfoic.org/.

• U.S. Freedom of Information Act o The U.S. Department of Justice provides extensive materials regarding the federal FOIA,

including the DOJ Guide to the FOIA, court opinions, and training materials. Available at https://www.justice.gov/oip/foia-resources.

o Information on each federal agency’s FOIA activities, available at www.foia.gov. • State Open Records/ Freedom of Information laws. Most state Attorneys General websites

provide materials on that state’s FOI law. State Privacy offices may also provide materials concerning the intersection of its state’s FOI law and privacy laws. See, for example, the materials on the West Virginia State Privacy Office’s website at http://www.privacy.wv.gov/FOIAPRIVACY/Pages/default.aspx.

6. Guidance on the release of information concerning deaths, epidemics or emerging diseases was developed by the Association of State and Territorial Health Officials (ASTHO), the National Association of County and City Health Officials (NACCHO) and the Association of Health Care Journalists (AHCJ) to address the balance between informing the public and protecting privacy. This guidance is at http://www.healthjournalism.org/secondarypage-details.php?id=965.

7. The Network for Public Health Law’s health information and data sharing resources are at https://www.networkforphl.org/topics__resources/topics__resources/health_information_and_data_sharing/.

§ A checklist to assist public health practitioners in providing relevant factual information to resolve questions about proposed data collection, access and sharing can be downloaded from https://www.networkforphl.org/resources_collection/2014/01/07/400/tool_checklist_of_information_needed_to_address_proposed_data_collection_access_and_sharing.


SUPPORTERS

The Network for Public Health Law is a national initiative of the Robert Wood Johnson Foundation with direction and technical assistance by the Public Health Law Center at Mitchell | Hamline School of Law.

This resource list was compiled by Denise Chrysler, JD, Director, with the Network for Public Health Law – Mid-States Region at the University of Michigan School of Public Health. The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, please consult specific legal counsel.

Page 1 September 15, 2016

De-Identification – Summary of Relevant Case Law

Table of Cases

De-Identification: Guidance from the Courts

Confidentiality of individual health data is protected by federal and state privacy laws. These laws generally prohibit disclosure of directly identifiable health information, as well as information which could be used, alone or in combination with other reasonably available data, to identify an individual. Conversely, generally, these laws do not cover de-identified information and permit such information to be freely disclosed. However, laws vary in defining whether data are deemed to be de-identified; or whether the risk of re-identification is sufficiently small to allow disclosure.1 Several courts have had occasion to analyze issues relating to de-identification of data, often in the context of freedom of information law requests or discovery disputes. The table below describes a number of these cases in which courts have discussed de-identification and/or evaluated risk of re-identification in some level of depth. Depending on the law, de-identification may require removal of certain data elements and/or a case-by-case determination of the risk of re-identification. Note that this table is not exhaustive, but may provide useful guidance for reference by public health practitioners and their attorneys.

1 For examples, see De-Identification – Summary of Selected Federal Statutes Table, developed by the Network for Public Health Law – Mid-States Region (September 15, 2016).

Page 2 Last Updated Aug. 22, 2016

Case Name Date Court Citation Observations on De-Identification Federal Jurisdiction

Pac. Radiation Oncology, LLC v. Queen’s Med. Ctr.

2015 D. Haw. 2015 U.S. Dist. LEXIS 12869

This dispute between physicians / physician organizations (Plaintiffs) and Defendant medical center arises from Defendant’s termination of Plaintiffs’ clinical privileges due to Plaintiffs allegedly diverting patients with cancer to competing medical facilities. In discovery, Defendant medical center sought disclosure of histories and physicals for a designated list of patients that Plaintiffs saw at the medical center but then sent to a different center for radiation therapy. Defendant’s counsel filed the patient list, containing patient name, patient number, and name of physician, without redaction as an exhibit to a subpoena. A number of the patients whose medical records were requested intervened (“the Patient Intervenors”), objecting to disclosure of their records even in de-identified form. The Patient Intervenors claimed that in addition to the improper public disclosure of the list of patient names, Defendants had also improperly used and disclosed portions of their medical records contained in Defendant’s own medical record system; accordingly, the Patient Intervenors asserted that subsequent de-identification of patient histories and physicals would be impossible. While “in no way condon[ing] the unnecessary disclosure of the list,” the Court found that de-identification of patient histories and physicals was not rendered impossible by the prior disclosure of patient names, numbers, and physicians, because the disclosed list did not include the type of cancer for each patient nor the area where he or she lives. Accordingly, the Court concluded that “even a person who has seen the List would not be able to narrow down the patient’s identity to one of a few people” based on the patient’s history and physical scrubbed of personal identifiers such as name, patient number, and address. The Court further determined that while it was not possible to de-identify patient records for review by Defendant’s representatives who had already reviewed identifiable records, de-identification was possible for review by a different representative of Defendant. The Court ultimately reserved ruling on this discovery issue in order to certify a related question to the Hawaii Supreme Court regarding application of the Hawaii Constitution. The Hawaii Supreme Court concluded that release of even de-identified information would violate the Constitution. Specifically, the Court found that “to allow an individual’s medical information, even if de-identified, to be used in litigation to which that individual is not a party, would reach beyond what the Hawaii Constitution permits in the absence of a showing of a compelling state interest.” Pac. Radiation Oncology LLC v. Queen’s Med. Ctr., 2016 Haw. LEXIS 139 (2016 Haw., June 13, 2016). At the time this document was prepared, a final order by the District Court of Hawaii was not available.


Case Name Date Court Citation Observations on De-Identification Baser v. Dept. of Veterans Affairs

2014 E.D. Mich. 2014 U.S. Dist. LEXIS 137602

Plaintiff sought disclosure under FOIA of datasets from patient files that included “patient-level information such as age, gender, race, marital status, means tested income status, homeless status, prisoner of war status, geographic information (including patient’s, treatment facility and providers’ zip code and state), and up to 64 other distinguishing data elements,” but excluded name, address, and identifying patient numbers. The VA refused to release the full datasets requested, explaining that they would lead to a risk of re-identification of patients and were therefore exempted from disclosure under Exemption 3 (information that is prohibited from disclosure by another federal law) and Exemption 6 (information that, if disclosed, would invade another individual's personal privacy). 5 U.S.C. § 552(b)(3) and (6). The VA agreed to release certain redacted and otherwise limited datasets, but Plaintiff claimed the data as provided were not useful to his medical research. Both parties sought summary judgment. The parties submitted conflicting expert testimony. The VA’s experts claimed that the data elements requested, if linked with other publicly available or commercial data files, could be used to re-identify patients. The VA further claimed that the risk of re-identification would remain even if the HIPAA Safe Harbor guidance found at 45 C.F.R. § 164.514(b)(2) was applied. In contrast, Plaintiff’s experts claimed that the risk of re-identification was minimal given the data requested, the cost, the difficulty to a lay person to understand the data, and the amount of specific knowledge required about a person to make an attempt at re-identification. Plaintiff further argued that “HIPAA is not a standard that governs in the FOIA context”; that the VA should not have used both HIPAA de-identification methods (i.e. both the HIPAA safe harbor method and expert determination method); and that the public interest supports disclosure. Without significant analysis of the parties’ opposing arguments, the Court denied the VA’s motion and struck Plaintiff’s cross-motion due to a violation of Court rules (though noting that it would have denied Plaintiff’s cross-motion as well), finding a genuine issue of material fact as to “whether the VA can balance the patient’s right to privacy against the public’s interest in disclosure of the information.” The Court emphasized that the parties’ “experts do not agree that the patient’s information cannot be re-identified.”

Steinberg v. CVS Caremark Corp.

2012 E.D. Pa. 899 F.Supp.2d 331

Plaintiff prescription drug purchasers filed suit against Defendant retail pharmacies and pharmacy benefits manager based on Defendants’ alleged sale to third parties of information provided by patients when having prescriptions filled. Among other claims, Plaintiffs alleged that Defendants publicly represented that they maintained confidentiality of consumers’ prescription information, but in fact packaged and sold consumer data to third parties. Defendants moved to dismiss Plaintiffs’ complaint for failure to state a claim. At oral argument, Plaintiffs acknowledged that information sold by Defendants was de-identified: it included medical history, prescription drugs given, dates of prescriptions, diagnoses, and physician names, but did not contain patient names, birth dates, or Social Security numbers. However, Plaintiffs claimed that there was a risk of re-identification, directing the Court to


Case Name Date Court Citation Observations on De-Identification an academic journal article discussing re-identification risks. Plaintiffs did not apply the theory to the case, but indicated that their re-identification argument “would take the form of expert testimony that a re-identification risk exists with respect to de-identified information generally, not as to the plaintiffs in this case.” In addition to being untimely, the Court found Plaintiffs’ lack of specificity insufficient to state a plausible claim for relief and dismissed the complaint with prejudice.

State Jurisdiction

Cuyahoga Cnty Bd. of Health v. Lipson O’Shea Legal Group

2016 Ohio Supreme Court

145 Ohio St. 3d 446

Defendant law firm requested from the Cuyahoga County Board of Health (BOH) “documentation or information of all homes … where a minor child was found to have elevated blood lead levels in excess of 10 [mg/dl].” The BOH concluded it could not disclose the requested records because they contained protected health information (PHI) under Ohio law and sought a declaratory judgment confirming its position. The Supreme Court agreed, distinguishing its conclusion from that in State ex rel. Cincinnati Enquirer v. Daniels (described below) because in this case, the public records request itself was linked to a specific blood lead level and therefore “inextricably linked” to PHI. The Court found it “undeniable that the address of a home where a child has an elevated blood lead level can be used to identify the afflicted child.” Accordingly, “[e]ven if it were possible to comply with the request by redacting protected health information, the release of merely the address of a house in response to the public-records request at issue means that a child at the house had ‘elevated blood lead levels in excess of 10 [mg/dl],’ which is protected health information.” On remand, the Court ordered the trial court to review the records to determine whether any portion of them could be released following redaction of PHI.

State ex rel. Cincinnati Enquirer v. Daniels

2006 Ohio Supreme Court

108 Ohio St.3d 518

A Cincinnati newspaper requested lead-risk-assessment reports and lead-citation notices from the Cincinnati Health Department (“the Department”). The notices had been issued by the Department to property owners of residences inhabited by children whose blood tests indicated elevated levels of lead. The Department refused to release the requested records because they referred to blood test results for children living at particular addresses; thus, the Department concluded the records contained protected health information. The Court disagreed and ordered release of the records to the newspaper, explaining that the records were not protected health information under HIPAA because they included only “a mere nondescript reference to ‘a’ child with ‘an’ elevated lead level” and did not include other identifying information, such as name, age, birth date, social security number, telephone number, family information, or photograph, nor did they include specific medical information. The Court applied the same conclusion to both single family and multi-family residences, concluding “the single sentence” indicating the presence of a child with an elevated blood lead level did not constitute a reasonable basis for believing the information could be traced to an individual. The Court went on to note that even if the records contained protected health information, the


Case Name Date Court Citation Observations on De-Identification Department would be required to release them anyway since the disclosure was required by state law and permitted under the “required by law” exception to HIPAA, located at 45 C.F.R. § 164.512(a)(1).

Southern Illinoisan v. Dept. of Public Health

2006 Supreme Court of Illinois

218 Ill.2d 390

The Illinois Department of Public Health (DPH) denied Plaintiff newspaper’s FOIA request, in which the newspaper sought disclosure of Cancer Registry information relating to incidence of neuroblastoma, including type of cancer, date of diagnosis, and patient’s zip code, to determine whether the cancer occurred in clusters. The DPH claimed the disclosure was prohibited by the Illinois Health and Hazardous Substances Registry Act (the Registry Act) since the information requested “tends to lead to the identity” of individuals. The DPH offered the testimony of an expert in data anonymity as evidence that the information requested, combined with other publicly available information, could be used to identify individuals. The Supreme Court rejected this argument, noting that although the equipment and data sets used by the expert were readily available to the public, the six-step methodology she employed to re-identify the data was “unique to her education, training and experience, and not easily duplicated by the general public.” The Court concluded that “information ‘tends to lead to the identity’ of Registry patients only if that information can be used by the general public to make those identifications.” The Court further noted that the word “tend” allows for flexibility and case-by-case determinations regarding release of data, but emphasized that the burden of proof was on the DPH to justify non-disclosure.

Williams Law Firm v. Bd. of Sup. of La. State Univ.

2004 First Circuit Court of Appeal of Louisiana

878 So.2d 557

Plaintiff law firm requested records from the Louisiana Tumor Registry (LTR), a state central cancer registry administered by Defendant university. Plaintiff requested raw numerical data reflecting incidence of adult and pediatric cancers by parish and by year for a specified time frame (zip code was requested as well but since data by zip code was not retrievable by the LTR, the Court dismissed this request). The LTR refused to disclose any results revealing an incidence of zero or one of a type of cancer. The LTR claimed this information was case specific data since it pertained to one specific case and was therefore protected from disclosure by the Tumor Registry Law. Plaintiff disagreed, claiming that revealing zeros and ones “would only be case specific if there were only one person in the parish,” which is never the case. The Court agreed with Plaintiff and ordered disclosure of zeros and ones, explaining that zeros and ones in this case are not case-specific data, but rather expressions of group level data. Thus, without other identifiable characteristics, the zeros and ones did not tend to reveal the identities of individuals and did not compromise individual privacy. The Court further noted that omitting zeros and ones was substantively significant in this case since the omission could have the effect of concealing incidences of rare cancer.


Case Name Date Court Citation Observations on De-Identification Hassig v. New York State Dept. of Health

2002 Appellate Division of the Supreme Court of New York, Third Dept.

742 N.Y.S.2d 442

A grassroots organization seeking to develop a county-based cancer prevention program requested records from the State Cancer Registry disclosing “site specific cancer diagnoses and deaths” for a specified time frame for the county, including data for all age groups but excluding instances where there were two or fewer cancer site specific records for a particular year and zip code. The Department of Health (DOH) denied the request, citing New York state law and 42 U.S.C. § 280e (governing the National Program of Cancer Registries), which prohibit disclosure of identifying information. The DOH explained that the information sought, in combination with other readily available information such as personal knowledge of individuals in the community, could lead to disclosure of identifying information. In particular, the DOH noted that several children would be easily identified because they had a “unique combination of age group, gender, year of diagnosis and ZIP code.” The Court ruled in favor of the DOH because it “articulated a particularized and specific justification for denying access to the records in question—namely, that such records, when combined with other readily available information, including community knowledge, could identify or lead to the identification of individual cancer patients.”

Marine Shale Processors Inc. v. State, Through Dept. of Health & Hosp.

1990 First Circuit Court of Appeal of Louisiana

572 So.2d 280

Plaintiff corporation sought preservation of records associated with an investigative public health study regarding five cases of neuroblastoma conducted for the Department of Health and Hospitals (DHH). The corporation sought to preserve these records for use as evidence in pending and anticipated tort litigation alleging a connection between the corporation’s activities at a nearby plant and the occurrence of neuroblastoma. The study had been prompted by public concern and involved a questionnaire administered to the parents of the five children diagnosed with neuroblastoma as well as the parents of thirty-two control group children. The questionnaire included questions about prenatal activities of the parents (e.g. use of alcohol, illegal drugs, contraception), prior pregnancies, family medical histories, and family income, among other things. DHH argued that the requested records were exempted from disclosure under the Public Records Act since they would “tend to reveal the identity” of a subject of a public health disease investigation. The Court agreed, explaining that “the specificity of the questions coupled with the small number of cases and the fact that the identity of all five was known, compels the conclusion” that the case abstracts and questionnaires must be excluded in their entirety. The Court observed that every element of data in the questionnaires and abstracts – including date of diagnosis, age at diagnosis, sex, race, religion, family medical histories, diagnostic information, treatment, and vital status – would tend to reveal to which of the five cases they applied. The Court further prohibited disclosure of handwritten notes containing ratios that compared the case members to those in the control group, as well as any other records referencing the protected case abstracts and questionnaires.


SUPPORTERS


This document was developed by Colleen Healy, JD, Staff Attorney with the Network for Public Health Law – Mid-States Region at the University of Michigan School of Public Health, in collaboration with Sallie Milam, J.D., CIPP/US/G, Chief Privacy Officer of the West Virginia Health Care Authority, and Denise Chrysler, JD, Director of the Network for Public Health Law – Mid-States Region. The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, please consult specific legal counsel.


De-Identification – Summary of Selected Federal Statutes

Table of Statutes

De-Identification: As Described by Federal Statutes Most laws either do not apply to de-identified information or permit disclosure of de-identified information. While de-identified information can usually be freely disclosed, how laws define whether information is sufficiently de-identified vary. This table sets out legal provisions that apply to disclosure of de-identified information under selected federal laws and provides definitions, criteria or standards that are relevant to determinations of whether information is de-identified. This table does not cover exceptions under the various laws that might allow disclosure of identifiable information for specific purposes, such as public health activities or research. Some of these laws are not explicit in stating that de-identified information might be disclosed. At the same time, they may not explicitly prohibit disclosure of de-identified information. If a request for information is filed under the federal Freedom of Information Act (FOIA), 5 U.S.C. § 552, privacy provisions must be read in conjunction with FOIA’s mandate that information must be provided, unless an exemption applies, and the government bears the burden of demonstrating that an exemption prohibits disclosure. With regard to health information, two exemptions might apply:

Exemption 3 – Information that is specifically exempted from disclosure by another federal statute. The statute must (i) require that the matter be withheld from the public in such a manner as to leave no discretion on the issue; or (ii) establish particular criteria for withholding or refer to particular types of matters to be withheld; and if enacted after the date of enactment of the OPEN FOIA Act of 2009, must specifically cite to the paragraph that contains this exemption. 5 U.S.C. § 552(b)(3). Exemption 6 – Personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. 5 U.S.C. § 552(b)(6).

The FOIA Improvement Act of 2016 reinforced the presumption of disclosure, by adding that an agency shall withhold information under an exemption only if: (i)(I) the agency reasonably foresees that disclosure would harm an interest protected by the exemption; or (II) disclosure is prohibited by law; and shall (ii)(I) consider whether partial disclosure of information is possible whenever the agency determines that a full disclosure of a requested record is not possible; and (II) take reasonable steps necessary to segregate and release nonexempt information. U.S.C. § 552(b)(8). This provision, however, does not require disclosure of any information that is prohibited from disclosure or exempted from disclosure by another federal statute. (id.)


Law Provision(s) that allow disclosure

of de-identified information Criteria or standard for determining whether information is identifiable

Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, implemented by the HIPAA Privacy Rule, 45 CFR Part 160 and Part 164.

The HIPAA Privacy Rule applies to “protected health information” or “PHI.” The Privacy Rule does not apply to health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. 45 CFR § 160.103, 45 §164.500.

Information may be de-identified by removing 18 identifiers specified in the Rule, provided that the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other reasonably available information to identify a subject (safe harbor de-identification). These identifiers include personal identifiers (such as name, address, telephone number, birth date, social security number) and non-personal identifiers (such as geographic information smaller than a state and dates directly associated with an individual). Alternatively, a covered entity may rely on a determination by a properly qualified statistician using accepted analytic techniques who determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information (statistical de-identification). 45 CFR § 164.514.

Family Educational Rights Privacy Act (FERPA), 20 U.S. Code § 1232g, implemented by 34 CFR Part 99.

FERPA prohibits a school from disclosing “personally identifiable information” from students’ education records without the consent of a parent or eligible student, unless an exception to FERPA’s general consent rule applies. 34 CFR § 99.30.

Information is de-identified if, after removal of all personally identifiable information, the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information. 34 CFR § 99.31.

Protection of Human Research Subjects (Common Rule), 45 CFR part 46, subpart A.

The Common Rule applies when an investigator conducting research obtains identifiable “private information” of a living individual (human subject) for use, study, or analysis. Private information must be “individually identifiable” for the Common Rule to apply. 45 CFR § 46.102(f).

Private information is individually identifiable when the identity of the subject is or may readily be ascertained by the investigator or associated with the information. 45 CFR § 46.102(f). (Note: In its application of the law, the Office for Human Research Protections (OHRP) considers private information or specimens not to be individually identifiable when they cannot be linked to specific individuals by the investigator either directly or indirectly through coding systems. Examples of identifiers would include names, social security numbers, medical record numbers, or pathology accession numbers, or any other “code” that permits specimens or data to be linked to individually identifiable living individuals and perhaps also to associated medical information. https://humansubjects.nih.gov/from-applicants (may need to copy and paste link in browser).




VA Claims Confidentiality Statute, 38 U.S.C. § 5701, implemented by 38 CFR §§ 1.500-1.527.

The VA Claims Confidentiality Statute protects all files, records, reports, and other papers and documents maintained by the Department of Veterans Affairs pertaining to any claim under a VA program and the names and addresses of present or former members of the Armed Forces, and their dependents. These documents are confidential and privileged. Disclosure is prohibited except as provided by the statute. The Secretary may release information, statistics, or reports to individuals or organizations when in the Secretary’s judgment such release would serve a useful purpose. 38 U.S.C. § 5701(e).

The law does not define or describe de-identification directly.

Confidentiality of medical quality-assurance records [maintained by the Department of Veterans Affairs], 38 U.S.C. § 5705, implemented by 38 CFR §§ 17.500-17.511.

This law states that records and documents created by the Department as part of a medical quality-assurance program are confidential and privileged and may not be disclosed to any person or entity unless an exception applies. It also provides that for the purposes of a medical quality-assurance program, the name and other identifying information of any patient, employee or associated individual of the Department shall be deleted before any disclosure if disclosure would constitute a clearly unwarranted invasion of personal privacy. 38 U.S.C. § 5705(b)(1). Finally, the law states that nothing in the law should be construed as authorizing or requiring withholding from any person or entity the disclosure of statistical information regarding the VHA’s health-care programs that does not implicitly or explicitly identify any patient, employee or associated individual of the VHA who participated in the conduct of a medical quality-assurance review. 38 U.S.C. § 5705(b)(6).

Information must be removed that implicitly or explicitly identifies a patient, employee or associated individual of the VHA who participated in the conduct of a medical quality-assurance review. 38 U.S.C. § 5705(b)(6).

Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse, Human Immunodeficiency Virus (HIV) Infection, and Sickle Cell

This law protects veterans administration records with regard to the identity, diagnosis, prognosis, or treatment of any patient or subject in connection with the performance of any program or activity (including education, training, treatment, rehabilitation, or research) relating to drug abuse, alcoholism or alcohol abuse, infection with the human immunodeficiency virus, or sickle cell anemia. The law prohibits the disclosure of patient information, except as permitted, and limits permitted disclosures to information

“Patient identifying information” is defined as “the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. The term does not include a number assigned to a patient by a treatment program, if that number does not consist of, or contain numbers (such as social security, or driver's license number) which could be used to identify a patient with reasonable accuracy and speed




Anemia Medical Records [regarding veterans affairs], 38 U.S.C. § 7332, implemented by 38 CFR §§ 1.460-1.496.

that is necessary to carry out the purpose of the disclosure. § 38 CFR 1.462(a). The term “disclose” or “disclosure” means a communication of patient identifying information, the affirmative verification of another person's communication of patient identifying information, or the communication of any information from the record of a patient who has been identified. 38 CFR §1.460.

from sources external to the treatment program.” 38 CFR §1.460.

Federal Privacy Act 5 U.S.C. § 552a.

The Federal Privacy Act establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. The Act protects a “record” of a U.S. citizen or alien lawfully admitted for permanent residence. A “record” includes any item, collection, or grouping of information about an individual that is maintained by a federal agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. 5 U.S.C. § 552a(a)(4).

The law does not define or describe de-identification directly, but suggests that a record is de-identified by removing all “identifying particulars.” 5 U.S.C. § 552a(a)(4).

42 CFR Part 2 Implements Public Health Service Act, 42 U.S.C. § 290dd-3 and 42 U.S.C. § 290ee-3.

This law restricts the disclosure of alcohol and drug abuse patient records that are maintained in connection with the performance of any federally assisted alcohol and drug abuse program. 42 CRF § 2.1, 42 CRF § 2.2. “Record” means any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program. 42 CRF § 2.11. This law applies to disclosure of information that would identify a patient as an alcohol or drug abuser either directly, by reference to other publicly available information, or through verification of such an identification by another person. 42 CFR § 2.12. It defines “disclose” or “disclosure” as “a communication of patient indentifying [sic] information, the affirmative verification of another person's communication of patient

“Patient identifying information” is defined as the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. The term does not include a number assigned to a patient by a program, if that number does not consist of, or contain numbers (such as a social security, or driver's license number) which could be used to identify a patient with reasonable accuracy and speed from sources external to the program. 42 CFR § 2.11.




identifying information, or the communication of any information from the record of a patient who has been identified.” 42 CRF § 2.11.

Federal Assurance of Confidentiality, Section 308(d) of the Public Health Service Act, 42 U.S.C. § 242m.

This law prohibits use, release, and publication of information, if an establishment or person supplying the information or described in it is identifiable. Applies to information obtained in the course of health statistical, epidemiological, or other activities obtained in the course of certain activities undertaken or supported under the Public Health Service Act.

The law does not define or describe de-identification directly.

SUPPORTERS


This document was developed by Denise Chrysler, JD, Director, and Jennifer Bernstein, JD, MPH, Deputy Director, with the Network for Public Health Law – Mid-States Region at the University of Michigan School of Public Health. The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, please consult specific legal counsel.

CHHS Data De-identification Guidelines · CHHS Data De-identification Guidelines ... department wants to create a department DDG: must have appropriate references to departmental

Documents