The expert determination method, defined by 45 CFR § 164.514(b)(1), is one of two approaches for de-identifying protected health information. This method relies on statistical and scientific principles to transform PHI into data that cannot reasonably be used to identify an individual.
According to The Network for Public Health Law document titled HIPAA Expert Determination De-Identification Method: "The Expert Determination method provides for an individual to be determined an expert in de-identification through professional experience, academic or other training, and actual experience, using health information de-identification methodologies."
Read also: How to choose the right method for deidentification
The Department of Health and Human Services states that, “There is no specific professional degree or certification program for designating who is an expert at rendering health information de-identified. Relevant expertise may be gained through various routes of education and experience. Experts may be found in the statistical, mathematical, or other scientific domains. From an enforcement perspective, OCR would review the relevant professional experience and academic or other training of the expert used by the covered entity, as well as actual experience of the expert using health information de-identification methodologies.”
Therefore an expert, must:
"A qualified expert evaluates the risk that an individual could be identified from the dataset, either alone or when combined with other reasonably available information. This risk is typically assessed using sophisticated statistical models that account for factors like population size, data uniqueness, and the availability of external datasets." As stated in the article Understanding Safe Harbor and Expert Determination in Healthcare Data Security by SynapseHealthTech, published on LinkedIn.
The expert would evaluate:
The Institute for Families in Society Guidelines and Methods for De-identifying Protected Health Information outlines the following de-identification techniques:
The Network for Public Health Law document titled HIPAA Expert Determination De-Identification Method provides that an expert must document:
In correspondence to the Secretary of the Department of Health and Human Services, the National Committee on Vital and Health Statistics points out that, “In comparing the two methods of de-identification established in the de-identification standard of the privacy Rule, Safe Harbor is largely ‘one size fits all,’ regardless of the characteristics of the dataset. By contrast, the Expert Determination method has the advantage of fitting the de- identification method to the risks associated with the specific dataset. Despite this increasingly important advantage, Expert Determination is used less frequently than Safe Harbor. One reason is that Expert Determination, while more consultative, is also more expensive, and there are too few experts available for hire.”
The expert determination has a flexible approach that can be adapted to specific use cases. It allows for the retention of more detailed data, providing scientific validity to de-identification efforts and supporting ongoing research and analytics needs. However, there are limitations, it requires the use of qualified experts, which can make it more resource-intensive. Additionally, it may need periodic reassessment as technology evolves, and there is no absolute guarantee against re-identification.
De-identification is the process of removing or altering personal information from data so that individuals cannot be readily identified.
De-identification helps protect patient privacy while allowing healthcare data to be used for research and analysis.
Re-identification is the process of matching de-identified data with publicly available or private information to determine the identity of individuals, potentially compromising their privacy.