2.1. Is there more to Safe Harbor than 18 rules?
The Safe Harbor provision of the HIPAA Privacy Rule does indeed list 18 kinds of data to remove in order to deidentify data. While most of the rules are fairly objective, the 18th rule says to remove “any other unique identifying number, characteristic, or code.” How do you know whether a characteristic is identifying? There is also the so-called 19th rule which is also open-ended.
2.2. Does Safe Harbor really protect privacy?
It may or may not. As noted above, Safe Harbor is a little fuzzy. One could even argue after-the-fact that if privacy wasn’t protected, something must have gone wrong with the 18th or 19th rules. But there have been data sets which complied with the objective portions of the Safe Harbor provisions and yet which allowed individuals to be identified.
Any method of deidentifying data leave some risk that an individual in the data may be identified, but ideally this risk should be very small. Whether the risk is indeed very small depends on more context than is present in the Safe Harbor rules.
2.3. Why does Safe Harbor remove dates of service?
In a nutshell, dates of service can sometimes be cross-referenced with publicly available data in order to identify individuals. More details are available here.
2.4. What is a “covered entity” under HIPAA?
According to the HIPAA statute (45 CFR 160.103) “Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”
See more on who is and isn’t a covered entity according to U. S. Department of Heath and Human Services here.
2.5. What is a business associate?
According to HHS, “A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
