Thora Johnson and Mark Fox on De-Identification Under HIPAA and GDPR [Podcast]


By Adam Turteltaub

These days it’s easy to identify people using technology and databases, and that’s a problem if you are trying to comply with HIPAA or even GDPR because a lot of sensitive data eventually needs to be de-identified in a proper manner.

Thora Johnson (LinkedIn), Partner at Orrick and Mark Fox (LinkedIn), Privacy and Research Compliance Officer at the American College of Cardiology explain that there are two permissible methods of de-identification under HIPAA. Safe Harbor De-Identification is a process in which eighteen identifiers are removed. The second option is Expert Determination De-Identification, in which statistical principles are used to determine if there is low risk a person can be identified.

It’s not an easy process, either way. Information on the individual and family members likely needs to be removed. In addition many struggle with how to do de-identification right because the work is often done only periodically and not on a regular, frequent basis.

One area of particular challenge is understanding the difference between de-identification and a limited data set. There are significant requirements with these limited data sets, too, including the need for a signed agreement with the data recipient and proper permissions to share the data.

Adding to the complexity, under GDPR there are the concepts of anonymization and pseudo-anonymization to reckon with.

What should you do? Listen in to understand the issues, and then plan on attending Thora and Mark’s session “It’s De-Identified, or Is It?” at the 2023 HCCA Compliance Institute.