Healthcare groups and their business associates that want to transmit share protected health information must do so in line with the HIPAA Privacy Rule, which restricts the potential uses and disclosures of PHI, but de-identification of protected health information essentially means HIPAA Privacy Rule restrictions no longer are in place.
HIPAA Privacy Rule restrictions only governs individually identifiable protected health information. If you de-identify PHI so that the identity of individuals cannot be ascertained, and re-identification of individuals cannot occur, PHI can be freely shared.
The de-identification of protected health information allows HIPAA covered groups to share health data for large-scale medical research, policy assessments, comparative effectiveness research, and other studies and assessments without breaching the privacy of patients or requiring authorizations to be obtained from each patient prior to data being shared.
Protected Health Information & HIPAA-Compliant De-identification
HIPAA-compliant de-identification of protected health information is possible via two methods: Safe Harbor and Expert Determination. Neither method of de-identification of protected health information will wipe clear all risk of re-identification of patients, but both methods will reduce possible danger to a very low and acceptable level. Use either of the two methods below and PHI will no longer be considered ‘protected health information’ and will therefore not be governed by HIPAA Privacy Rule restrictions.
1. Safe Harbor – The Removal of Specific Identifiers
The initial HIPAA compliant way to de-identify protected health information is to delete specific identifiers from the data set. The identifiable data that must be deleted are:
- Indicators of Names
- Geographic and location subdivisions lower than a state
- All aspects of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and referrals to dates (including year) that are indicative of age)
- Telephone contact details, cellphone, and fax numbers
- IP identifiers
- Social Security information
- Medical record details
- Health plan account numbers
- Device identifiers and serial number data
- License/certificate numbers
- Account information
- Vehicle identifiers and serial numbers such as license plates
- Website addresses
- Complete photos and comparable images
- Biometric identifiers such as finger and voice prints
- All unique identifying numbers, details or codes
In the case of zip codes, covered groups are allowed to use the first three digits supplied the geographic unit formed by linking together those first three digits contains more than 20,000 individuals. When that geographical unit contains less than 20,000 individuals it should be amended to 000. The Bureau of the Census say that this means 17 zip codes must have the first three digits amended to zero:
036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831
HIPAA Covered entities should remember that the above list of zip codes may be altered following future censuses. The list is formed using 5-digit zip codes from the 2000 census.
For more details on de-identification of protected health information using the safe harbor method review 45 CFR § 164.514(b)(2).
2. Expert Determination
The expert determination method comes with a small risk that an individual could be identified, although the risk is so low that it meets HIPAA Privacy Rule obligations.
This method of de-identification of protected health information means that a HIPAA covered entity or business associate must obtain an opinion from a qualified statistical expert that the danger of re-identifying an individual from the data set is minimal. In such instances, the methods used to make that determination and justification of the expert’s opinion must be recorded and retained by the covered entity or business associate and made usable to regulators in the event of an audit or investigation.
The expert must be a person with appropriate knowledge and experience of using generally accepted statistical and scientific principles and methods for removing or altering information to ensure that it is no longer individually identifiable.
When those methods and principles have been used, the expert must ascertain that the danger of re-identification of an individual is minimal. In such instances, the danger of re-identification must be very small when the information is used on its own, and must remain very small should the data be linked with other reasonably available information by an anticipated recipient to identify an individual who is a subject of the data.
HIPAA does not refer to the level of risk of re-identification other than to mention that it should be ‘very small’. The expert should define ‘very small’ in relation to the context of the data set, the specific environment, and the ability of an expected recipient to be able to re-identify people.
Experts may come from a range of different fields and do not require any specific qualifications. What is crucial is that experts have experience of de-identifying data. It is that experience that regulators will look at in the event of an audit, not particular or certifications.
For more details on de-identification of protected health information by specialist determination review 45 CFR § 164.514(b)(1).
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has made available information on de-identification of protected health information which can be seen on this link.