Subcommittee on Privacy, Confidentiality & Security
National Committee on Vital and Health Statistics

“De-Identification and the Health Insurance Portability and Accountability Act (HIPAA)”

May 24-25, 2016

Hubert H. Humphrey Building
U.S. Department of Health & Human Services
200 Independence Avenue, SW, Room 705A
Washington, DC 20201

Printable Acrobat Agenda

This hearing and all meetings, hearings, and workshops of the National Committee on Vital and Health Statistics, its Subcommittees, and Workgroups are open to the public, no registration required. However, if attending in person, please be prepared to present identification to Humphrey Building security staff.


HIPAA sets forth methodologies for de-identifying protected health information (PHI).  Once PHI is de-identified, it is no longer subject to the HIPAA rules and can be used for any purpose. The U.S. Department of Health and Human (HHS) Services Office for Civil Rights (OCR) issued guidance in 2012, specifying two ways through which a covered entity can determine that health information is de-identified: (1) the Expert Determination Method and (2) the Safe Harbor Method. Much has changed in the health care landscape since that time, including greater availability and use of big data. Concerns have been raised about the sufficiency of the HIPAA de-identification methodologies, the lack of oversight for unauthorized re-identification of de-identified data, and the absence of public transparency about the uses of de-identified data. The purpose of this hearing is to gather industry input on existing guidance and possible limitations of the de-identification methodologies for making recommendations to the Secretary of HHS.

The objectives of this meeting are as follows:

  • Increase awareness of current and anticipated practices involving de-identified health information, such as the sale of such information to data brokers and other data-mining companies for marketing and/or risk mitigation;
  • Understand HIPAA’s de-identification requirements in light of these practices, and
  • Identify areas where outreach, education, technical assistance, a policy change, or guidance may be useful.

FINAL AGENDA – Tuesday, May 24, 2016

Meeting Minutes

May 24, 2016 Transcript

9:00 to 9:15 a.m. Introductions and Opening Remarks – Linda Kloss, Chair
9:15 – 10:00 a.m. Overview and framing of current issues -– Dr. Simson Garfinkel, Information Access Division, National Institute of Standards and Technology
10:00 – 11:15 a.m. Panel I – Policy Interpretations of HIPAA’s De-identification Guidance
Ira Rubinstein, JD, Senior Fellow, Information Law Institute; Adjunct Professor, New York University School of Law
Bradley Malin, PhD, Vice Chair for Research, Department of Biomedical Informatics. School of Medicine; Director, Health Information Privacy Laboratory; Vanderbilt University
Daniel Barth-Jones, MPH, PhD; Assistant Professor of Clinical Epidemiology; Mailman School of Public Health; Columbia University
11:15 – 11:30 a.m. Break
11:30 – 12:45 p.m. Panel I — Policy Interpretations, cont’d
12:45 – 1:45 p.m. Lunch
1:45 – 3:15 p.m. Panel II — De-Identification Challenges
Michelle De Mooy, Deputy Director, Privacy and Data Project, Center for Democracy & Technology; Washington, D.C.
Jules Polonetsky, JD; CEO, Future of Privacy Forum; Washington, D.C.
Ashley Predith, PhD; Executive Director. President’s Council of Advisors on Science and Technology; White House Office of Science and Technology Policy; Washington, D.C.
Cora Tung Han, JD; Federal Trade Commission, Bureau of Consumer Protection; Washington, D.C.
3:15 – 3:30 p.m. Break
3:30 – 4:45 p.m. De-Identification Challenges, cont.
4:45 – 5:15 p.m. Public Comment period
5:15- 5:30 p.m. Framing of Issues by Subcommittee Members
5:30 p.m. Adjourn


TENTATIVE AGENDA – Wednesday, May 25, 2016

May 25, 2016 Transcript


9:00 to 9:15 a.m. Opening Remarks – Linda Kloss, Chair
9:15 – 11:15 a.m. Panel III – Approaches for De-Identifying and Re-Identifying Data
Vitaly Shmatikov, PhD; Professor of Computer Science; Cornell; New York, NY
Jacki Monson, JD; Chief Privacy Officer; Sutter Health; Sacramento, CA
Jeptha Curtis, MD, FACC; American College of Cardiology
Cavan Capps, CISSP; Big Data Lead, US Department of Census, US Department of Commerce, Washington, DC
11:15 – 11:30 a.m. Break
11:30 – 12:45 p.m. Panel IV – Models for Privacy-Preserving and Use of Private Information
Micah Altman, PhD; Director of Research, MIT Libraries; Head/Scientist, Program on Information Science; Non-Resident Senior Fellow, Brookings Institution; Boston, MA
Yaniv Erlich, PhD; Assistant Professor of Computer Science, Columbia University, Member, New York Genome Center; New York, NY
Sheila Colclasure, MA, Privacy Officer, Acxiom; Little Rock, AR
Kim Gray, JD: Chief Privacy Officer, Global, IMS Health
12:45 – 1:00 p.m. Public Comment period
1:00-2:00 p.m. Lunch
2:00 – 3:00 p.m. Subcommittee Discussion: Review themes, identify potential recommendations and additional information needs
3:00 – 3:15p.m. Break
3:15 – 5:15 p.m. Subcommittee Discussion: Frame letter to the Secretary, reach consensus on the timeline and next steps, if any
5:15 p.m. Adjourn