Following up on a requirement of the American Recovery and Reinvestment Act (ARRA) of 2009, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recently released guidance on how to de-identify personal health information in accordance with the HIPAA privacy rule.

In response to the ARRA mandate, OCR collected research and views from industry stakeholders on current de-identification standards and potential changes to address policy concerns.

Experts with practical technical and policy experience informed the creation of the guidance materials, which were largely determined during a two day workshop held in March 2010 in Washington D.C., according to HHS’ website. Multiple panel sessions addressed specific topics related to de-identification methodologies and policies at the workshop.

The process of de-identification—when personal health information identifiers like name, address, and Social Security numbers are removed from records—mitigates privacy risks to individuals whose records are used for secondary uses like comparative effectiveness studies, policy assessments, life sciences research, and population health studies.

Click here to read the specific guidance issued by HHS on properly de-identifying HIPAA-protected personal health information.