Expert Determination is the second HIPAA route to de-identifying protected health information (PHI), and unlike the mechanical Safe Harbor method it relies on judgment rather than a checklist. Under 45 CFR §164.514(b)(1), a person with appropriate statistical and scientific knowledge analyzes the specific dataset, the context it will be used in, and who will receive it, then certifies that the risk of re-identifying any individual is 'very small.' The expert must document the methods and results of that analysis, and you must retain that documentation — it is the artifact that defends the determination if a regulator asks.
Why a telemedicine team would choose this harder path: it preserves analytical utility that Safe Harbor destroys. With the right statistical controls — generalizing rare values, perturbing or shifting dates consistently, limiting who receives the data — dates and finer geography can survive, so longitudinal studies and machine-learning training corpora remain useful. This makes Expert Determination the standard route for research collaborations and for assembling training data for clinical models.
The trade-offs are cost and durability. You need a qualified expert (internal or contracted), a written methodology, and the discipline to re-evaluate when the data, recipient, or release context changes — a determination is valid for a defined dataset and circumstance, not forever. A common mistake is treating one expert sign-off as a permanent license and then quietly expanding the dataset or broadening who can access it, which can invalidate the original 'very small risk' conclusion without anyone noticing.
