Privacy Matters
Privacy Hub's monthly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
What IS (and isn't) an
Expert Determination anyway?
Experts Expound
Bobby Samuels, General Manager of Privacy Hub,
offers an introduction to what constitutes an Expert Determination, elaborating on common misconceptions about these HIPAA de-identification risk assessments.
The linkage and utilization of health data can lead to a range of insights that benefit patients, from understanding quality and cost of care to enabling research for the purpose of improving treatments. Data linkage also presents challenges, and chief among them is the protection of patient privacy.
The US Health Insurance Portability and Accountability Act (“HIPAA”) delineates two methods through which data de-identification can be achieved: Safe Harbor and Expert Determination. Safe Harbor requires the removal of eighteen specific identifiers, including age, zip code, gender, and dates of service. While useful in some circumstances, the Safe Harbor method has been subject to criticism for its extensive restrictions on data utility.
The Expert Determination methodology, which is a more flexible and customized approach to de-identifying patient data, is the most commonly used HIPAA compliance method for innovative research. It consists of a statistical assessment of re-identification risk led by a properly qualified expert experienced in generally accepted statistical principles and scientific methods. The output of an Expert Determination includes a report listing the necessary data actions that need to be taken and other conditions that need to be met in order for a dataset to meet HIPAA’s de-identification standard and be ready for use.
It is also important to consider what an Expert Determination isn’t:
- It is not a permanent certification that ensures blanket compliance as circumstances change in the future.
- It is not an isolated approval that takes place after the variables required for analysis have already been locked in; on the contrary, Expert Determination, and privacy more broadly, should be incorporated into the design of a data flow.
- It is not proof that all required data operations have already been correctly implemented. Its mandatory operations and conditions must be fulfilled on an ongoing basis.
- “Expert Determination” is a term of art under HIPAA (again, a US federal law,) but it is important to realize that other definitions of de-identification and related terms apply under US state laws and ex-US laws. Special consideration is needed in these areas to ensure data is de-identified under all applicable standards.
Another common misconception about Expert Determinations is the idea that if two datasets that have been individually de-identified are linked together, that will automatically yield a de-identified output dataset. To the contrary, in these cases, another assessment is needed to render the newly combined dataset de-identified. This is because the variables in the individual de-identified datasets may not collectively have sufficiently low re-identification risk when used in combination.
Overall, once an Expert Determination is issued, it is imperative to adhere to the conditions required by the expert on the final report, as doing so ensures companies uphold the legally binding standards for protecting privacy via de-identification while simultaneously maximizing health data utility.
The Last Few
Weeks in a Flash
In an effort to close the gap between HIPAA and other privacy laws that aim to protect against the nonconsensual disclosure of consumer health information, Washington State has enacted the broad-based health data privacy law “My Health My Data.” It is the first comprehensive consumer health information privacy law in the United States, differing from other state privacy legislation in that it is focused on consumer health data not regulated by HIPAA, therefore significantly impacting mobile app providers, advertisers, wearable device manufacturers, and other companies that handle or process non-HIPAA-regulated health data. It has broad jurisdiction and includes a private right of action for violations.
Montana and Tennessee become the eighth and ninth states to pass comprehensive consumer privacy legislation (ninth and tenth, if you count Washington’s law as comprehensive). The privacy law wave does not seem to be slowing down anytime soon, with Florida passing Senate Bill 262, Maine introducing a biometric data privacy bill, and Texas poised to become the next state to enact comprehensive privacy legislation after the Texas Senate’s approval of HB 4, the Texas Data Privacy and Security Act, on May 10, 2023. Moreover, a recent House subcommittee hearing on privacy and data security held in Congress underscored the need for a federal comprehensive consumer privacy law—with an emphasis on the American Data Privacy and Protection Act.
Upon filing a complaint in federal court against Illinois-based Easy Healthcare Corporation for sharing the health data of its free fertility app Premom’s users without consent (and fining the company $200,000), the Federal Trade Commission voted unanimously to formally revise the Health Breach Notification Rule. The proposed changes, which the agency is seeking public comments on, would require health care companies to secure customer approval prior to sharing identifiable health information with business partners or for marketing purposes. Recently, the FTC also issued a policy statement on its intention to hold companies accountable for unjust or deceptive practices related to the use of consumers’ biometric information, and it is far from the only governmental agency to focus on regulation to combat the improper sharing of personal health information. On the heels of a surge in litigation related to the use of tracking technologies to share healthcare and personal data, the Office of Civil Rights declared that enforcement actions will be taken against HIPAA-regulated entities who engage in this kind of data disclosure with third parties without consent or proper agreements.
But to answer your question
about Expert Determinations...
Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
“[There are] two methods to achieve de-identification in accordance with the HIPAA Privacy Rule. The first is the “Expert Determination” method. . .” Keep reading
5 Considerations for Getting Expert Determination Right
By Jamie Blackport
“In this [blog], we look at five key considerations for obtaining fast and fit-for-purpose HIPAA expert determination that can make privacy and compliance a more seamless, transparent and scalable process: (1) Data quality and standardization, (2) Understanding of use cases, (3) Speed and scale, (4) Technology integration, [and] (5) Ongoing support and maintenance.” Keep reading
De-Identification of PHI According to the HIPAA Privacy Rule
“The two HHS-approved methods for the de-identification of PHI can aid in clinical research while ensuring HIPAA compliance and patient privacy.” Keep reading
Best of the Rest
Here's a Privacy + Security Forum presentation by privacy expert Dr. Daniel Barth-Jones and others on de-identification, pseudonimization, anonymization, and cryptographic tokenization for privacy lawyers and compliance managers.
offers a wide range of advanced technologies and solutions
to improve the quality and speed of the compliance process
Reach us at privacymatters.privacyhub@datavant.com
