HITRUST Working Group to Propose Standards for De-Identification of Protected Health Information

<0> Healthcare industry struggles to effectively de-identify data needed to support research and quality of care </0>

HITRUST Working Group to Propose Standards for De-Identification of Protected Health Information

HITRUSTMary Hall, 972-330-4919

The Health Information Trust Alliance (HITRUST) has formed the HITRUST De-Identification Working Group to propose standards for health data de-identification and the appropriate use and handling of de-identified data as defined by the HIPAA Privacy Rule. The working group will also suggest qualifications for the professionals who can certify de-identification methods and de-identified data sets.

HITRUST formed the working group to address specific issues relating to the advancement of important healthcare policy goals. These issues include helping to address physicians’ and patients’ concerns for privacy, and the need to create standards for defining acceptable processes for de-identifying health information and using and managing de-identified data. The lack of such standards has led to inconsistent certification of de-identified health data sets; variances in contracting and use criteria; and widespread uncertainty about use and management of de-identified data.

HITRUST believes that clear guidelines about de-identification processes and measures taken to ensure patient privacy will help increase confidence in de-identification and facilitate the ability of healthcare organizations to undertake the important analysis de-identification of health information enables, ultimately advancing the critical goals of better care for more people at lower cost.

“De-identification is a useful tool in protecting individual patient privacy, while enhancing innovation and the improved use of healthcare data,” said Daniel Nutkis, chief executive officer, HITRUST. “However, without standards and controls for de-identification and the use of de-identified data, the industry as a whole will remain unable to expand the use of healthcare data and advance the quality of patient care without substantial re-identification risks. HITRUST believes a standard process and approach to de-identification can significantly improve the current state and lead to improved health information protection as well as increased use of de-identified data to help improve the healthcare system.”

The intent of the HITRUST De-Identification Working Group is to establish a uniform and practical approach to data de-identification that balances the risks and benefits of using the data, while taking into account the advancement of healthcare innovation, increased access to healthcare, and the protection of individual patient privacy.

The working group has participation from leading healthcare organizations, including IMS Health, Merck, Optum and WellPoint. The group will make recommendations for minimum qualifications for industry professionals who can certify the standards and the methodologies used to de-identify health data (using the statistical method of de-identification) and for properly managing any risk of re-identification. The working group will also review and propose changes to relevant HITRUST Common Security Framework (CSF) controls to ensure consistency with these recommendations and to promote the safe and secure handling of de-identified data.

“The working group members believe it is of critical importance to the industry that we provide standards around the statistical and scientific methodologies used to arrive at the definition of ‘de-identified’ and protections in the form of safeguards for de-identified data,” said Kimberly Gray, chief privacy officer, IMS Health, and chair of the HITRUST De-Identification Working Group. “Standards used to define qualifications for experts that evaluate these methodologies and protections will also help the industry move forward.”

The first guidance from the working group will be available in the third quarter of 2012 and will define multiple levels of de-identification and recommend specific use cases for data in each tier. Further guidance will be available in the fourth quarter of 2012 and on through 2013, and will include criteria for assessing the risk of re-identification, evaluating de-identification methodologies, and certifying the expertise of professionals assessing these methodologies, as well as recommendations for relevant changes to HITRUST CSF control requirements. The working group will solicit input on the deliverables from recognized leaders in data de-identification and make available for public comment any proposed changes to the CSF.

The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit .

All product and company names herein may be trademarks of their respective owners.