Citizen Portal
Sign In

Get AI Briefings, Transcripts & Alerts on Local & National Government Meetings — Forever.

Claim Your Spot

Expert briefing: harmonize HIPAA deidentification, consider ban on reidentification

House Commerce & Economic Development · April 29, 2026
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Anne (Future of Privacy Forum) told the committee that HIPAA’s deidentification standards (safe harbor and expert determination) are stringent and defensible for medical data; she recommended harmonizing state standards with HIPAA and urged the legislature to consider a ban on reidentifying HIPAA‑deidentified data with limited exceptions.

Anne, a senior fellow at the Future of Privacy Forum who specializes in deidentification, provided a technical overview April 8 of how HIPAA deidentification works and why that standard matters for legislative drafting.

She explained that HIPAA recognizes exactly two methods to deidentify data: the safe harbor method (which lists numerous direct and indirect identifiers to remove, including many geographic details, exact dates and device identifiers) and the expert determination method (which requires a qualified statistician to document that reidentification risk is "very small"). "If you told me you had a homegrown methodology, I would be inclined to say you actually have a legal problem," she said, summarizing why legal adherence matters for research and health data use.

Anne told the committee that most states now apply a two‑tier approach — HIPAA methods for medical data and state‑specific deidentification for other consumer data — and that creates complexity for multi‑state entities. She praised the draft language in front of the committee for explicitly allowing HIPAA deidentification methods to be applied more broadly and called that approach "elegant" because it can reduce operational friction.

She also described pseudonymization (identifiers removed but link keys retained separately) as still subject to privacy law but often given favorable treatment. Finally, Anne suggested Vermont consider the California model that bans reidentification of HIPAA‑deidentified data (with narrow exceptions for public health, research and legal requirements) and offered technical assistance on crafting exceptions.

Dr. Colin Moffitt, a statistical deidentification expert, joined remotely for technical Q&A and confirmed the challenges and rigor involved in expert determination analyses.

Committee members welcomed the technical briefing and noted that harmonization could reduce confusion for regulated entities and researchers.