What is HIPAA Expert Determination? 

Expert determination is rooted in expertise and objectivity, which has become a guiding light for healthcare companies seeking effective solutions to intricate challenges. Let’s dive into exactly what it is and the impact it has in the healthcare industry. 


HIPAA (Health Insurance Portability and Accountability Act) expert determination refers to a process outlined in the HIPAA Privacy Rule that allows covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) to seek guidance from an external expert. This will then determine if certain disclosures of protected health information (PHI) comply with HIPAA regulations.

Under the HIPAA Privacy Rule, covered entities are required to protect patients’ PHI and are generally prohibited from disclosing PHI without patient authorization. However, there are situations in which HIPAA allows for certain disclosures without patient consent, such as for treatment, payment, and healthcare operations. In cases where the covered entity is uncertain about whether a particular disclosure meets the HIPAA requirements, they can engage in an expert determination process.

During this process, the covered entity would consult with an independent expert who possesses the necessary expertise in HIPAA regulations and privacy practices. The expert reviews the situation, the proposed disclosure, and the relevant circumstances to determine if the intended action aligns with HIPAA requirements. The expert’s decision serves as an authoritative guidance to the covered entity, helping them make informed decisions while remaining compliant with HIPAA regulations.

How Expert Determination Works within De-Identification 

De-identification involves removing or altering specific identifiers from health information to ensure that the data cannot be used to identify individuals. This process is designed to protect patient privacy and enable the use of data for research, analysis, and other purposes while minimizing the risk of re-identification.

Here’s how the HIPAA expert determination method works within de-identification:

Complex Scenarios: When covered entities encounter scenarios where the safe harbor method is not practical, they can engage an external expert who possesses expertise in statistical and scientific methods, as well as the principles of re-identification risk assessment.

Evaluation: The expert evaluates the data and the proposed de-identification techniques to assess whether the risk of re-identification is sufficiently low. They then take into consideration factors such as the nature of the data, the context, and the intended use.

Certification: If the expert determines that the de-identified data carries a low risk of re-identification, they can provide a certification attesting to its compliance with HIPAA requirements. This certification acts as assurance to the covered entity that their de-identification efforts are appropriate.

Use of De-Identified Data: With the expert’s certification, covered entities can use the de-identified data for research, analysis, and other purposes without violating HIPAA regulations.

Teton Analytics’ Expert Determination HIPAA Certification 

At Teton Analytics, we use expert determination in our data de-identification methods as outlined by the HIPAA privacy rules. There is often a significant amount of privacy work required to normalize and transform native healthcare data to meet the requirements of an expert determination, with the benefit being that the retained attributes enable de-identified patient linkage and the data retains the vast majority of key clinical fields. 

For these reasons, a HIPAA certification is the gold standard for clients seeking to pursue detailed patient and provider analytics. We achieved our data model-certification by working closely with Dr. Brad Malin of Vanderbilt University, one of the leading experts in the US on data privacy. 

As such, data licensed from Teton Analytics falls under our certification and is HIPAA-compliant on day one such that critical research and analytics can begin the same day as delivery.

Click here to learn more about our data de-identification methods