De-identification is a valuable tool for protecting consumer privacy, but the process requires diligent compliance with multiple state and federal standards. L. Hannah Ji-Otto and Julie A. Kilgore, both of Baker Donelson, and legal adviser David Chen explore the various regulatory perspectives on data de-identification and their implications for businesses operating in the United States.
Businesses concerned about their data and technology use complying with privacy laws are focusing on de-identification, the process of altering information to safeguard individual identities.
The identifiability of data exists on a spectrum. On one end is directly identifiable data — e.g., Social Security numbers and email addresses. On the other end is non-personal data, such as the number of downloads for a specific app in a week. Shifting data along this spectrum through de-identification can potentially reduce a business’s privacy compliance obligations, given that deidentified data often enjoys exemptions under federal and state laws. However, ensuring that data de-identification meets these legal standards is a complex process.
Deidentifying PHI under HIPAA
HIPAA has long permitted de-identification of protected health information (PHI) by entities regulated under HIPAA to support secondary uses of data for comparative effectiveness studies, policy assessment and other life sciences research. The HIPAA privacy rule provides two methods for de-identification: expert determination and safe harbor.
Expert determination requires an expert to determine and document a very small risk that an anticipated recipient could use the information to identify the individual. Safe harbor requires the removal of 18 identifiers, with the de-identifying entity possessing no actual knowledge that the information could be used to identify the individual.
Whichever method is used, the privacy rule considers PHI de-identified if such information does not identify the subject of the PHI and there is no reasonable basis to believe that the information can be used to identify the individual. Notably, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA, acknowledges the potential for re-identification of properly deidentified data because the HIPAA de-identification standards and methods do not require a zero risk of identification. Once medical records have been appropriately deidentified, HIPAA poses no obstacle to the production of the records. However, depending on the retained information, this deidentified data may still fall under other regulatory or contractual obligations.
How Leaders Can Avoid Modern Data Pitfalls
Mitigating risks of data is critical to getting the most out of new technology
Read moreDetailsFTC’s views on data de-identification
In the past decade, the FTC has consistently stressed effective de-identification of data. The FTC can enforce against unfair or deceptive acts or practices in commerce, including bringing actions against companies that fail to protect consumer data. Its rulings do not override HIPAA’s de-identification standard with respect to PHI.
Recently, the FTC has clarified its position on de-identification, adopting an approach like the California Consumer Privacy Act (CCPA) in defining “de-identification” in its actions against InMarket Media and X-Mode Social. The FTC alleged that both companies collected, aggregated and sold to third parties location-related information from consumers without their informed consent. Both companies settled, agreeing to delete certain offending location data. Interestingly, the FTC exempted “de-identified data” from this deletion requirement, suggesting that deidentified data is not the primary concern of the FTC.
In both instances, the FTC adopted the same definition of de-identified data as the CCPA. The FTC defines de-identified information as data that cannot reasonably be associated with or linked, either directly or indirectly, to a specific consumer. This depends on whether the de-identifying business meets four criteria: (i) it implements technical safeguards to prevent the re-identification of the consumer to whom the information pertains, (ii) it has business processes that specifically prohibit the re-identification of the information, (iii) it implements measures to prevent the inadvertent release of de-identified information and (iv) it makes no attempt to re-identify the information.
It’s worth noting that the FTC does not regard data linked to a mobile advertising identifier or an individual’s home as de-identified data.
State privacy laws: The CCPA example
Most state privacy laws have varying exemptions for de-identified data. As of the latest update, 18 states have comprehensive data privacy laws. These laws don’t override or change HIPAA’s requirements for PHI. Technically, many de-identification methods can be easily reversed, making the practical effectiveness of these exemptions uncertain. There is minimal guidance from state regulators or legal precedents regarding the reidentification of de-identified data.
For example, the CCPA does not classify de-identified data as “personal information,” thus exempting it. There have been no direct enforcement actions in California regarding the de-identification of personal information. The California Privacy Protection Agency considers data minimization a foundational principle of the CCPA, applicable to all purposes for which a business collects, uses, retains, and shares consumers’ personal information.
De-identification could achieve a key balance — keeping the utility of collected data while adhering to the CCPA’s data minimization principle. To the extent that deidentified data can still provide insights to consumer behaviors, trends or patterns, removing unnecessary identifiers achieves business purposes without infringing on consumer privacy.
Practical considerations for U.S. businesses
Data de-identification provides a compelling strategy to derive value from collected data while complying with privacy laws, including the principle of data minimization. Federal and state regulators have developed more robust de-identification standards for consumer information compared to those set by HIPAA for PHI. This has complicated the process of shifting datasets across the identification spectrum, thereby enhancing the protection of individuals’ privacy rights.
As privacy laws expand and enforcement actions intensify, relying on a single de-identification standard may not suffice. For example, if a dataset is classified as PHI and is also subject to federal and state privacy laws, data deidentified under HIPAA might still fall under the jurisdiction of the FTC or state privacy regulations.
In conclusion, de-identification is a valuable tool for protecting privacy, but it requires diligent compliance with regulatory standards. Companies considering de-identification as a part of their privacy law compliance strategy should:
- Conduct an assessment of the jurisdiction of origin and the characteristics of the personal information to accurately determine the applicable de-identification standard(s).
- Implement de-identification techniques that are appropriate for the data type, considering available resources and industry best practices to ensure effective de-identification.
- Establish, enforce and update internal procedures and technical safeguards to prevent the re-identification of data.
L. Hannah Ji-Otto
David Chen
Julie A. Kilgore
