| There are varying levels of risk of re-identification when applying the HIPAA safe harbor method of de-identification. Earlier research views this methodology as a simple way to de-identify data, and due to removal of PHI, concludes that the risk of re-identification is small to very small. There are many interpretations of how to apply this method and the correctness of the application is directly related to the knowledge and skill set of the individual or group that uses it. This thesis provides a new approach in applying the safe harbor methodology as required by the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulation provides two methods to de-identify data for use in research and studies. The first method is the safe harbor method, which requires the removal of the specified PHI data elements. The second method requires an expert review, using statistical and scientific principles and methods, to determine that there is a very small risk that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify an individual who is a subject of the information. This thesis addresses the interpretation and application of the safe harbor method of de-identification and is a study of the risks associated with various implementations. The research methodology in the study uses both qualitative and quantitative design. The qualitative design includes the review of industry surveys and standards, while the quantitative design includes statistical models and the review of simulated claims data. |
