by Kenneth R. Charette and Theresa M. DeAngelis, Summer Associate
Many of our healthcare clients often inquire as to whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits the transfer or use of “de-identified” patient data. Such information has a variety of practical applications, including genetic research, comparative effectiveness studies, policy assessments, and more. Many providers often assume that HIPAA’s Privacy Rule prevents benefits associated with the use of de-identified health care data. This is not necessarily the case. HIPAA is federal law that sets forth data privacy and security for protected health information (PHI). PHI is defined as “any information created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse,” that relates to past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payments for the provision of healthcare to an individual. Ultimately, PHI is information that identifies an individual or creates a reasonable basis to believe the information can be used to identify the individual.
Barring a few exceptions, PHI must be kept confidential and may not be used or otherwise disclosed without authorization from the patient. Healthcare organizations sometimes inquire whether the use of de-identified patient data is subject to the patient authorization requirements of PHI.
The Privacy Rule provides two ways that PHI may be de-identified under the law. First, an expert with knowledge of and experience with accepted statistical and scientific principles must determine there is a very low probability of identifying an individual with the information. Second, health information can be de-identified by removing 18 enumerated data elements, including names, zip codes, dates, and other unique identifiers.
In 2012, the United States Department of Health and Human Services issued Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the HIPAA Privacy Rule. The Guidance states that if health information is de-identified within the meaning of HIPAA, then the Privacy Rule does not restrict the use or disclosure of the information, because the information is no longer considered PHI. Accordingly, patient authorization is not required to use or sell the de-identified patient information. Additionally, a patient’s consent is probably not needed to de-identify their PHI as HIPAA’s de-identification standards arguably constitute independent permission to de-identify under the Privacy Rule.
To date, one case included a challenge to the sale of de-identified patient information under Pennsylvania state law claims. In the 2012 case Steinberg v. CVS Caremark Corp., 899 F. Supp. 2d 331 (E.D. Pa. 2012), a CVS pharmacy customer and the Philadelphia Federation of Teachers Health and Welfare Fund brought an action against CVS entities related to the defendants’ sale of information obtained when the plaintiffs filled their prescriptions at CVS pharmacies. The plaintiffs sued on the grounds that the defendants violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law, as well as theories of unjust enrichment and invasion of privacy. It was stipulated that the defendants sold information containing a combination of medical history, prescription drugs provided, dates of prescription fillings, diagnoses, and the names of physicians. The court held that because HIPAA allows for the sale of de-identified data and because the plaintiffs voluntarily gave their data to the defendants, the plaintiffs failed to state a claim; therefore, the court granted the defendant’s motion to dismiss. The court rejected the plaintiffs’ theory that the de-identified data could be re-identified and therefore was entitled to HIPAA protection. Additionally, the court stated that the sale of de-identified data does not carry a compensable value to consumers; therefore no finding of injury could be made.
In light of these considerations, if health organizations properly de-identify health information within the boundaries of HIPAA, such information may be used in unlimited ways and contribute to advancements in life sciences research and more.