De-identification is a valuable tool for protecting consumer privacy, but the process requires diligent compliance with multiple state and federal standards. L. Hannah Ji-Otto and Julie A. Kilgore, both of Baker Donelson, and legal adviser David Chen explore the various regulatory perspectives on data de-identification and their implications for businesses operating in the United States.
Businesses concerned about their data and technology use complying with privacy laws are focusing on de-identification, the process of altering information to safeguard individual identities.
The identifiability of data exists on a spectrum. On one end is directly identifiable data — e.g., Social Security numbers and email addresses. On the other end is non-personal data, such as the number of downloads for a specific app in a week. Shifting data along this spectrum through de-identification can potentially reduce a business’s privacy compliance obligations, given that deidentified data often enjoys exemptions under federal and state laws. However, ensuring that data de-identification meets these legal standards is a complex process.
Deidentifying PHI under HIPAA
HIPAA has long permitted de-identification of protected health information (PHI) by entities regulated under HIPAA to support secondary uses of data for…