De-identifying Data for US Privacy Compliance

De-identification is a valuable tool for protecting consumer privacy, but the process requires scrupulous compliance with many state and federal standards. Baker Donelson’s L. Hannah Ji-Otto and Julie A. Kilgore and legal counsel David Chen explore various regulatory perspectives on data de-identification and their impact on businesses operating in the United States.

Businesses interested in them data and the use of technology that complies with privacy laws, focusing on de-identification, the process of altering information to protect individual identities.

The identifiability of data exists on a spectrum. On one side is directly identifiable data (for example, Social Security numbers and email addresses). On the other side, there is non-personal data, such as the number of downloads of a particular application in a week. Manipulating data across this spectrum through de-identification could potentially reduce a business’s privacy compatibility liabilities, given that de-identified data generally enjoys exemptions under federal and state laws. However, ensuring that data de-identification complies with these legal standards is a complex process.

Identification of PHI under HIPAA

HIPAA has long permitted de-identification of protected health information (PHI) by HIPAA-regulated entities to support secondary uses of data for comparative effectiveness studies, policy evaluation, and other life sciences research. The HIPAA privacy rule provides two methods for de-identification: expert identification and safe harbor.

Expert identification requires an expert to identify and document a very small risk that the anticipated recipient could use the information to identify the person. The safe harbor requires the removal of 18 identifiers where the de-identified entity has no actual knowledge that the information could be used to identify the individual.

Regardless of the method used, the privacy rule provides that PHI is considered de-identified if such information does not identify the subject of the PHI and there is no reasonable basis to believe that the information can be used to identify the individual. In particular, the U.S. Department of Health and Human Services Office of Civil Rights (OCR), which enforces HIPAA, recognizes the potential for re-identification of properly de-identified data because HIPAA de-identification standards and methods do not require zero risk. Diagnostics. Once medical records are properly identified, HIPAA poses no impediment to their production. However, depending on the information stored, this de-identified data may still fall within the scope of other regulatory or contractual obligations.

FTC’s views on data de-identification

Over the past decade, the FTC has consistently emphasized effective de-identification of data. The FTC may take enforcement action against unfair or deceptive acts or practices in commerce, including bringing lawsuits against companies that fail to protect consumer data. Their decision does not invalidate HIPAA’s de-identification standard regarding PHI.

Recently, the FTC has clarified its stance on de-identification and has adopted an approach similar to the California Consumer Privacy Act (CCPA), defining “identification” in its counteractions. In-Market Media And X Mode Social. The FTC alleged that both companies collected, aggregated, and sold location-related information from consumers to third parties without their informed consent. Both companies reached a settlement, agreeing to delete some offending location data. Interestingly, the FTC exempted “de-identified data” from this deletion requirement; which suggested that de-identified data was not the FTC’s primary concern.

In both cases, the FTC has adopted the same definition of de-identified data as the CCPA. The FTC defines de-identified information as data that cannot reasonably be identified or associated, directly or indirectly, with a specific consumer. This depends on whether the business de-identifying the information meets four criteria: (i) it implements technical measures to prevent the re-identification of the consumer to whom the information belongs, (ii) it has business processes that specifically prohibit the re-identification of the consumer to whom the information belongs, (iii) it has business processes that specifically prohibit the re-identification of the consumer to whom the de-identified information belongs. implements safeguards to prevent inadvertent publication and (iv) makes no attempt to re-identify the information.

It’s worth noting that the FTC does not consider data tied to a mobile advertising identifier or an individual’s home as de-identified data.

State privacy laws: CCPA example

Most state privacy laws have various exemptions for de-identified data. Comprehensive in 18 states as of last update data privacy laws. These laws do not supersede or modify HIPAA’s PHI requirements. Technically, many methods of identity concealment are easily reversible, making the practical effectiveness of these exemptions unclear. Minimal guidance is provided by state regulators or legal precedents regarding the re-identification of de-identified data.

For example, the CCPA does not classify de-identified data as “personal information,” so it exempts it. There is no direct enforcement action regarding de-identification of personal information in California. The California Privacy Protection Agency considers data minimization a central principle of the CCPA and applies to all purposes for which a business collects, uses, stores and shares consumers’ personal information.

De-identification can provide an important balance by preserving the availability of collected data while adhering to the CCPA’s data minimization principle. To the extent de-identified data can continue to provide insights into consumer behavior, trends, or patterns, removing unnecessary identifiers achieves business objectives without violating consumer privacy.

Practical considerations for US businesses

De-identification of data provides an interesting strategy to extract value from collected data while complying with privacy laws, including the principle of data minimization. Federal and state regulators have developed more robust de-identification standards for consumer information compared to HIPAA’s standards for PHI. This has complicated the process of shifting data sets across the identity spectrum, increasing the protection of individuals’ privacy rights.

As privacy laws expand and enforcement actions intensify, relying on a single standard of anonymity may not be enough. For example, if a dataset is classified as PHI and is also subject to federal and state privacy laws, data de-identified under HIPAA may still fall under the jurisdiction of the FTC or state privacy regulations.

Ultimately, de-identification is a valuable tool for protecting privacy but requires scrupulous compliance with regulatory standards. Companies considering de-identification as part of their privacy law compliance strategy:

  1. Conduct an assessment of the jurisdiction of origin and characteristics of personal information to accurately determine applicable de-identification standard(s).
  2. To ensure effective de-identification, apply de-identification techniques appropriate to the data type, considering available resources and industry best practices.
  3. Establish, implement and update internal procedures and technical measures to prevent data re-identification.