Protecting the Benefits of De-Identified Health Care Information
Privacy Practice chair Kirk J. Nahra has written an article for the Washington Legal Foundation titled "Protecting the Benefits of De-Identified Health Care Information." The article analyzes the Pennsylvania Federal District Court's recent decision in Steinberg v. CVS Caremark Corp., 2012 U.S. Dist. Lexis 19372 (E.D.Pa. 2012), which recognizes both the benefits of the use and disclosure of de-identified health care information and the primacy of the HIPAA regulatory structure in defining appropriate rules for this information. The court's decision therefore is an important step in the ongoing battle to reinforce the beneficial uses of this information, and the decision takes the courts out of disputes about this data that already are defined by the appropriate regulatory process.
Questions about the use and disclosure of de-identified information continue to be raised, both in litigation and through the regulatory process. The Steinberg decision addresses several of these key issues, and (presumably) creates significant precedent to shut down future claims involving this information. Specifically, the court's decision makes clear that:
- Disclosure of information that has been de-identified pursuant to Health Insurance Portability and Accountability Act (HIPAA) is permitted by law;
- Because this information has been "de-identified," the individuals whose information was the original source of this de-identified data have no material privacy or monetary interest remaining in the data; and
- The courts should not intervene to address challenges to de-identification practices beyond the HIPAA standards, including the evaluation of whether information properly has been de-identified (as that is an issue for the regulatory and HIPAA enforcement process).
These findings should serve both to stem the tide of future litigation in this area and to protect the many benefits of the use and disclosure of de-identified health care information, both for public health and research purposes as well as various commercial purposes. These findings-which clearly are consistent with the approach taken in the HIPAA Privacy Rule-conclude that there is no material privacy interest when otherwise personal information has been de-identified. This approach represents a reasonable and appropriate balance between the Privacy Rule itself-which protects individual privacy interests-and the demonstrable benefits of the use and disclosure of de-identified data, both for clear "public benefit purposes" such as research and public health, and for other commercial purposes.
The full article is available here.