The Office of the National Coordinator for Health IT wants to test what it would take to re-identify personal health information that has been scrubbed of the digital identifiers that link it to an individual person.

The Health Insurance Portability and Accountability Act (HIPAA) privacy rule requires that healthcare providers and insurance plans safeguard personal information that can link it to an individual.

How to adequately protect patient privacy has become a fiercely debated issue as the administration presses for the widespread adoption of electronic health records and the ability of providers to share health information. Under the health IT incentive plan, meaningful users of EHRs will qualify for incentive payments starting in 2011.

The Health and Human Services Department plans to hire a vendor with in-depth knowledge of the HIPAA privacy rule and experience conducting comprehensive research on re-identifying a de-identified dataset, according to a Jan. 4 announcement on the Federal Business Opportunities Web site. The site provides information for firms that want to do business with the government.

ONC wants the vendor to "demonstrate the ability or inability to re-identify the data" using methods and technologies that exclude "brute force" matching, which systematically generates and tests all match possibilities.

According to the notice, re-identifying data means to "accurately and unambiguously" match a de-identified data record to an individual. Under HIPAA, health information is de-identified when a provider or health plan has removed all 18 identifiers, such as name and address, and does not know that the information could be used alone or in combination to identify an individual.

The vendor will report the results, including a thorough explanation of methodology, computer software used and laboratory notes. HHS did not provide a time frame for the contract.