Expert Determination and the High Standard for Protecting Patient Data
Abstract
Healthcare law allows patient data to be “de-identified,” meaning stripped of any connection to a specific person, so that it can be used without putting the patient’s privacy at risk or a health entity at compliance liability. Federal law permits two ways of accomplishing patient de-identification for vendors handling sensitive protected health information: Safe Harbor fit and Expert Determination. Just Appeals has chosen the more demanding of the two, Expert Determination, in which an independent data scientist or specialist examines the data and formally certifies that no patient can reasonably be identified from the documents being retained or handled. This paper explains what that method is, why Just Appeals selected Expert Determination in preference to the simpler Safe Harbor alternative, and why the decision reflects the company’s commitment to protecting its clients and to treating compliance as the foundation of Just Appeals’ work.
The protection of patient information in the United States is governed, in large part, by the federal HIPAA Privacy and Security Rules, which establish when health information may be used and disclosed and when it must be safeguarded. For healthcare technology vendors, compliance traditionally begins with legal and contractual mechanisms such as Business Associate Agreements (BAAs) and Data Use Agreements (DUAs), which define the circumstances under which information may be accessed, exchanged, and protected. Those agreements remain essential, but they do not alter the underlying nature of the information itself. Data subject to a BAA remains Protected Health Information (PHI), and the obligations associated with that designation remain intact.
De-identification represents a different and, in many respects, more durable layer of protection. Rather than regulating how information may be used, de-identification changes the status of the information itself by removing the reasonable ability to connect the data to a particular individual. This distinction has become increasingly important as health systems and their technology partners deploy advanced analytics, automation platforms, and artificial intelligence tools that derive value from large volumes of clinical information. Companies such as Just Appeals are frequently entrusted with information for purposes that extend beyond a single transactional exchange, including operational improvement, quality assurance, performance analytics, product development, and other activities intended to improve the services ultimately provided to healthcare organizations.
Importantly, de-identification is not legally required in every circumstance. HIPAA and HITECH expressly permit many uses and disclosures of PHI pursuant to appropriate contractual safeguards and regulatory requirements. Nevertheless, as healthcare organizations and their vendors increasingly retain, analyze, and learn from information to evolve their products and better serve health systems, the question becomes not merely what is permissible under the law, but what additional measures can be taken to reduce privacy risk. In that environment, ensuring the highest practicable degree of privacy and security should remain at the forefront of every healthcare technology vendor’s decision-making process.
Central to that effort is the concept of de-identification. In plain terms, health information is considered de-identified when it can no longer reasonably be connected to a particular individual patient. Once that condition is satisfied, the information is no longer treated as Protected Health Information (PHI), and the majority of the Privacy Rule’s restrictions cease to apply because there is no longer a patient who can be identified from the data.¹ Properly performed, de-identification is therefore the mechanism that permits clinical information to be retained, analyzed, and used responsibly while preserving the privacy of the individuals behind it. It also provides important protection to healthcare entities and their vendors should such information be intercepted by unauthorized parties, because the information itself no longer identifies a patient or exposes the health entity to significant privacy-related liability risk. Moreover, it allows health systems to leverage modern analytics, automation, and intelligent software capabilities with greater confidence that the information being utilized has been evaluated under a recognized de-identification framework designed to prevent patient re-identification.
Ultimately, the HIPAA Privacy Rule recognizes two methods by which de-identification may be accomplished, and the distinction between them is significant. The first, commonly referred to as the Safe Harbor method, operates as a prescribed checklist. It requires the removal of eighteen specified identifiers, including names, full dates, and detailed geographic information, after which the remaining information is deemed de-identified.² The method is rather straightforward, predictable, and entirely appropriate for many routine purposes and for structured data such as that living inside an Excel sheet.
The second method, and the one Just Appeals elected to pursue, is known as Expert Determination. Under this approach, a qualified individual with appropriate statistical and scientific expertise evaluates both the health data and the circumstances in which it will be used, applies generally accepted methodologies to determine if the remnant documents can re-identify a person, often after removing, obfuscating, or substituting the eighteen direct PHI identifiers and tangential indirect ones, and formally certifies that the risk of re-identifying any individual from a given document is very small. The expert must further document the basis for that low-risk conclusion and preserve the supporting analysis for review.³ Put simply, Expert Determination does not depend upon the removal of a fixed list of fields by itself. It depends instead upon independent expert verification that the information, as it will be used by a health entity or a vendor, cannot reasonably be traced back to a patient.
Just Appeals’ decision to pursue the more rigorous of the two methods rests on the nature of the information we process and the obligations we owe to the healthcare organizations we serve. The materials central to our company’s work consist largely of unstructured clinical narratives: the physician documentation, treatment rationales, pathology discussions, and medical analyses that explain why a particular course of care is appropriate in appeal letter creation, for example. Information of this kind does not reside neatly within discrete database fields where a Safe Harbor method could apply. A clinical narrative usually contains combinations of diagnoses, procedures, treatment timelines, rare clinical circumstances, geographic references, or other contextual details that, while not identifiers in isolation, can collectively narrow the field of possible individuals. We mitigate that when handling information and providing services to our clients.
It’s also important to note that preventing re-identification of patient data becomes increasingly important in an era of advanced analytics and artificial intelligence. Modern software systems are specifically designed to identify patterns, relationships, and contextual meaning within large volumes of information. As those capabilities become more sophisticated, the relevant question is not merely whether obvious identifiers such as names or addresses have been removed. The more important question is whether the remaining information, viewed in its entirety and in conjunction with other reasonably available information, could permit a patient to be re-identified. Expert Determination is uniquely suited to evaluating that risk because it examines the information as it actually exists and as it will actually be used.
For that reason, Just Appeals elected to subject its de-identification methodology to independent review. The Expert Determination process required a formal assessment of whether information processed by our platform could reasonably be used, either alone or in combination with other available information, to identify an individual patient.⁴ The resulting determination showed that we met the ‘very low risk’ standard, which we are proud of. This is not merely an internal assertion regarding compliance. It is a documented analysis performed by an independent expert applying an established legal, statistical, and scientific standard.
We emphasize that the significance of our determination extends beyond regulatory compliance. Healthcare organizations increasingly expect technology vendors to demonstrate not only that patient information is secured from unauthorized access, but also that information processed within intelligent software systems cannot readily be traced back to the individuals from whom it originated. These are related but distinct concerns. Encryption, access controls, cybersecurity programs, and technical safeguards address the risk of unauthorized acquisition. De-identification addresses the separate risk of re-identification and privacy. Both forms of protection are necessary for the responsible use of healthcare data.
Obtaining that assurance required a substantial investment of time, resources, and independent expertise by Just Appeals and its partners. The process involved detailed evaluation of data flows, document structures, de-identification methodologies, and re-identification risk across the various forms of clinical documentation routinely encountered by the platform. That investment was made because independent validation provides a level of evidence, transparency, and defensibility that internal review alone cannot easily replicate.
Viewed in that light, the completion of the Expert Determination is not best understood as a procedural compliance milestone. Rather, it is part of the foundational and iterative infrastructure required for the responsible deployment of artificial intelligence in healthcare. As health systems increasingly adopt intelligent software to support clinical, operational, and administrative functions, the ability to demonstrate that patient information cannot reasonably be traced back to an individual is becoming a foundational requirement for trust and responsible innovation. Our investment in Expert Determination provides independent, documented evidence that clinical information can be utilized for legitimate healthcare purposes while preserving the privacy protections that patients and providers rightly expect.
References
- 1.45 C.F.R. § 164.514(a) (HIPAA Privacy Rule de-identification standard).
- 2.45 C.F.R. § 164.514(b)(2) (Safe Harbor method).
- 3.45 C.F.R. § 164.514(b)(1) (Expert Determination method).
- 4.U.S. Department of Health and Human Services, Office for Civil Rights, Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the HIPAA Privacy Rule (2012).

