Unmasking Personally Identifiable Information to Comply with U.S. Privacy Laws

Companies concerned about theirs data and use of technology to comply with privacy regulations focus on de-identification, the process of altering information to protect an individual’s identity.

Data traceability exists on a spectrum. On the one hand, there is data that can be directly identified – such as social security numbers and email addresses. On the other hand, there is non-personal data, such as the number of downloads of a specific app in a week. Shifting data in this regard by stripping identity can potentially limit a company’s privacy compatibility responsibilities, given that deidentified information is often subject to exceptions under federal and state law. However, ensuring that data de-identification meets these legal standards is a complex process.

HIPAA de-identification of PHI

HIPAA has long permitted the de-identification of protected health information (PHI) by HIPAA-regulated entities to support secondary uses of data for comparative effectiveness research, policy evaluation, and other life sciences research. The HIPAA Privacy Rule provides two methods of de-identification: expert determination and safe harbor.

The expert’s assessment requires him to determine and document a very low risk that the intended recipient could use the information to identify the individual. The safe harbor requires the removal of 18 identifiers without actual knowledge that the information could be used to identify an individual.

Regardless of the method used, the privacy rules consider PHI to be de-identified if such information does not identify the subject of the PHI and there is no reasonable basis for believing that the information could be used to identify an individual. It is worth noting that the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which enforces HIPAA, recognizes the potential for re-identification of properly deidentified data because the de-identification standards and methods set out in HIPAA do not require zero-risk identification. Once medical records are properly de-identified, HIPAA does not constitute an obstacle to the creation of medical records. However, depending on the information retained, this de-identified data may still be subject to other regulatory or contractual obligations.

FTC’s Views on Data De-Identification

Over the past decade, the FTC has consistently emphasized effective data de-identification. The FTC can enforce laws against unfair or deceptive trade activities or practices, including bringing actions against companies that fail to protect consumer information. Its rulings do not supersede HIPAA standards for deidentification with respect to PHI.

The FTC recently clarified its position on de-identification, taking an approach similar to the California Consumer Privacy Act (CCPA) in defining “obstruction of identification” in its actions against Market media AND X-mode community. The FTC alleged that both companies collected, aggregated and sold location information from consumers to third parties without their informed consent. The two companies reached a settlement, agreeing to remove some of the offending location data. Interestingly, the FTC has exempted “de-identified data” from the deletion requirement, which suggests that de-identified data is not a primary concern of the FTC.

In both cases, the FTC adopted the same definition of de-identified data as the CCPA. The FTC defines de-identified information as data that cannot reasonably be associated with, directly or indirectly, a specific consumer. This depends on whether the de-identifying company meets four criteria: (i) implements technical safeguards to prevent re-identification of the consumer to whom the information relates, (ii) has business processes that expressly prohibit re-identification of the information, (iii) implements measures to prevent unintentional disclosure de-identified information and (iv) does not attempt to re-identify the information.

It’s worth noting that the FTC does not consider data associated with an individual’s mobile advertising ID or home to be de-identified data.

State privacy laws: CCPA example

Most state privacy laws contain various exceptions for de-identified data. According to the latest update, 18 states have comprehensive measures data privacy laws. These regulations do not replace or amend HIPAA requirements regarding PHI. Technically, many de-identification methods can be easily reversed, making the practical effectiveness of these exemptions uncertain. There is minimal guidance from state regulators or legal precedent for re-identifying de-identified data.

For example, the CCPA does not classify de-identified data as “personal information,” thereby exempting it. There have been no direct enforcement actions in California regarding the deletion of personal data. The California Privacy Protection Agency considers data minimization a core principle of the CCPA, applicable to all purposes for which a business collects, uses, maintains and shares consumers’ personal information.

De-identification could strike a crucial balance – maintaining the usefulness of collected data while adhering to the CCPA’s data minimization principle. To the extent deidentified data can still provide insight into consumer behavior, trends or patterns, removing unnecessary identifiers serves business purposes without violating consumer privacy.

Practical considerations for US businesses

Data de-identification provides a compelling strategy to derive value from collected data while complying with privacy regulations, including the principle of data minimization. Federal and state regulators have developed more robust de-identification standards for consumer information compared to those set by HIPAA for PHI. This has complicated the process of transferring data sets across the identification spectrum, thereby increasing the protection of individuals’ privacy rights.

As privacy regulations expand and enforcement efforts intensify, relying on a single standard for deidentification may not be enough. For example, if a dataset is classified as PHI and is also subject to federal and state privacy laws, data anonymized under HIPAA may still be subject to the jurisdiction of the FTC or state privacy laws.

In summary, deidentification is a valuable privacy protection tool, but requires careful compliance with regulatory standards. Companies considering identity loss as part of their privacy compliance strategy should:

1. Conduct an assessment of the jurisdiction of origin and characteristics of personal data to accurately determine applicable de-identification standards.
2. Implement de-identification techniques appropriate to the data type, taking into account available resources and industry best practices to ensure effective de-identification.
3. Establishing, enforcing and updating internal procedures and technical safeguards to prevent data re-identification.