Hearing
Subcommittee on Privacy, Confidentiality & Security
National Committee on Vital and Health Statistics
“De-Identification and the Health Insurance Portability and Accountability Act (HIPAA)”
May 24-25, 2016
Hubert H. Humphrey Building
U.S. Department of Health & Human Services
200 Independence Avenue, SW, Room 705A
Washington, DC 20201
This hearing and all meetings, hearings, and workshops of the National Committee on Vital and Health Statistics, its Subcommittees, and Workgroups are open to the public, no registration required. However, if attending in person, please be prepared to present identification to Humphrey Building security staff.
PURPOSE OF THE MEETING
HIPAA sets forth methodologies for de-identifying protected health information (PHI). Once PHI is de-identified, it is no longer subject to the HIPAA rules and can be used for any purpose. The U.S. Department of Health and Human (HHS) Services Office for Civil Rights (OCR) issued guidance in 2012, specifying two ways through which a covered entity can determine that health information is de-identified: (1) the Expert Determination Method and (2) the Safe Harbor Method. Much has changed in the health care landscape since that time, including greater availability and use of big data. Concerns have been raised about the sufficiency of the HIPAA de-identification methodologies, the lack of oversight for unauthorized re-identification of de-identified data, and the absence of public transparency about the uses of de-identified data. The purpose of this hearing is to gather industry input on existing guidance and possible limitations of the de-identification methodologies for making recommendations to the Secretary of HHS.
The objectives of this meeting are as follows:
- Increase awareness of current and anticipated practices involving de-identified health information, such as the sale of such information to data brokers and other data-mining companies for marketing and/or risk mitigation;
- Understand HIPAA’s de-identification requirements in light of these practices, and
- Identify areas where outreach, education, technical assistance, a policy change, or guidance may be useful.
FINAL AGENDA – Tuesday, May 24, 2016
TENTATIVE AGENDA – Wednesday, May 25, 2016
9:00 to 9:15 a.m. | Opening Remarks – Linda Kloss, Chair |
9:15 – 11:15 a.m. | Panel III – Approaches for De-Identifying and Re-Identifying Data |
Vitaly Shmatikov, PhD; Professor of Computer Science; Cornell; New York, NY | |
Jacki Monson, JD; Chief Privacy Officer; Sutter Health; Sacramento, CA | |
Jeptha Curtis, MD, FACC; American College of Cardiology | |
Cavan Capps, CISSP; Big Data Lead, US Department of Census, US Department of Commerce, Washington, DC | |
11:15 – 11:30 a.m. | Break |
11:30 – 12:45 p.m. | Panel IV – Models for Privacy-Preserving and Use of Private Information |
Micah Altman, PhD; Director of Research, MIT Libraries; Head/Scientist, Program on Information Science; Non-Resident Senior Fellow, Brookings Institution; Boston, MA | |
Yaniv Erlich, PhD; Assistant Professor of Computer Science, Columbia University, Member, New York Genome Center; New York, NY | |
Sheila Colclasure, MA, Privacy Officer, Acxiom; Little Rock, AR | |
Kim Gray, JD: Chief Privacy Officer, Global, IMS Health | |
12:45 – 1:00 p.m. | Public Comment period |
1:00-2:00 p.m. | Lunch |
2:00 – 3:00 p.m. | Subcommittee Discussion: Review themes, identify potential recommendations and additional information needs |
3:00 – 3:15p.m. | Break |
3:15 – 5:15 p.m. | Subcommittee Discussion: Frame letter to the Secretary, reach consensus on the timeline and next steps, if any |
5:15 p.m. | Adjourn |