Expert Determination de-identification for statistical risk analysis – CCPA/HIPAA-compliant de-identification per 45 CFR §164.514(b)(1)
Under 45 CFR §164.514(b)(1), a covered entity may de-identify PHI by having a qualified statistical or scientific expert certify that the risk of identifying any individual is very small. anonym.legal supports this method by quantifying re-identification risk across quasi-identifier combinations, producing the statistical documentation an expert needs to certify compliance.
When this applies
Use Expert Determination when the dataset must retain clinically meaningful variables — such as multi-digit ZIP codes, rare diagnosis codes, or detailed dates — that Safe Harbor would remove, and a qualified expert is available to certify the residual risk meets the §164.514(b)(1) standard.
How anonym.legal handles it
- Upload the dataset and provide the expert's risk threshold (the 'very small' standard is not numerically defined in the rule; typical practice uses a re-identification probability below 0.09).
- The engine profiles all quasi-identifier combinations — age, ZIP, sex, race, diagnosis, admission year — and computes k-anonymity and l-diversity metrics for each combination.
- A risk report is generated showing the population uniqueness of each record combination, with flagged cells where re-identification probability exceeds the threshold.
- For flagged cells, the engine suggests targeted suppression, generalization, or data swapping interventions to bring risk below the threshold without removing the entire field.
- The expert reviews the risk report and the proposed interventions, applies any additional transformations, and certifies in writing that the risk is very small.
- The certified de-identified dataset and the expert's certification documentation are stored together as the compliance record.
- The transformed dataset is released for the approved secondary purpose.
What you provide
- Dataset containing PHI fields to be evaluated
- Expert's statistical risk threshold and preferred risk metric (k-anonymity, re-identification probability, etc.)
- Data dictionary and list of quasi-identifier fields
- Description of the intended secondary use and the audience who will receive the data
Limitations & cautions
- Expert Determination requires a qualified statistical or scientific expert to certify the result; anonym.legal provides the risk quantification but does not itself constitute the expert certification required by §164.514(b)(1).
- Re-identification risk depends on the availability of external auxiliary datasets; risk assessments should be revisited when new publicly available datasets (census updates, public health registries) are released.
- The method requires more time and cost than Safe Harbor; for routine data releases where Safe Harbor suffices, it is not the recommended approach.
FAQ
Who qualifies as a 'qualified statistical or scientific expert' under §164.514(b)(1)?
The Privacy Rule does not enumerate specific credentials. HHS guidance indicates the expert should have knowledge of accepted statistical and scientific principles for de-identification. In practice, biostatisticians, epidemiologists, and privacy engineers with demonstrated experience in re-identification risk analysis typically perform this role.
What does 'very small' risk mean in statistical terms?
The rule does not define a numerical threshold. Academic practice and published HHS guidance commonly references re-identification probability below 0.09 (9%) at the record level, but the expert may apply a different threshold appropriate to the data sensitivity and the intended use context. The expert's documentation must explain the basis for the chosen threshold.
Can Expert Determination be applied to datasets that also include Safe Harbor de-identification?
Yes. The methods are not mutually exclusive. A hybrid approach — applying Safe Harbor to the most sensitive identifiers and Expert Determination to quasi-identifiers that cannot be fully removed — is recognized in HHS guidance as a valid de-identification strategy.