HIPAA and De-identification of Protected Health Information
The HIPAA Privacy Rule puts a number of restrictions in place to keep protected health information (PHI) secure. This also hampers healthcare organizations’ ability to share information. A way to share data while remaining HIPAA compliant could be the de-identification of information. PHI that has been de-identified has had its identifying elements removed. HIPAA’s Privacy rule is no longer relevant to this information and it can be shared more freely.
The HIPAA Privacy Rule deals with individually identifiable PHI. Without identifying information, and if re-identification is not possible, transmission of PHI is much less restricted.
De-identification may be carried out to enable sharing of data for mass medical research, comparative effectiveness studies, and other research purposes. Patient privacy is not violated and there is no need to gain permission from a large number of individual patients.
De-identification of PHI to HIPAA Standards
De-identification of PHI to HIPAA standards can be achieved in one of two ways: Expert Determination and Safe Harbor. While both of these leave some risk of re-identification, it is brought down to an acceptable level. Once treated with one of these techniques, PHI is no longer ‘protected’ by the HIPAA Privacy Rule.
1. Expert Determination
This method does not eliminate all risk of an individual being identified at a later date, but it reduces it to a sufficiently low level.
For this method, a HIPAA covered entity needs the professional opinion of a qualified statistical expert that the probability of being able to identify someone from the information is very low. The probability of identification must be low both when the data is taken on its own and also when added to other information that it is likely the eventual user will have access to.
The acceptable level of risk is not defined by HIPAA beyond “very small”. The statistician should make their assessment of the risk by considering the data being examined, the particularities of the environment, and the potential of the receiving body to re-identify patients.
There is no specific qualification needed for someone to be considered an expert in this regard. Experience in de-identifying data is the main criteria necessary. Auditors may review this experience should an examination ever arise.
More information about de-identification of PHI by Expert Determination can be found under 45 CFR § 164.514(b)(1).
2. Safe Harbor – Removing Specific Identifiers
PHI can also be de-identified by removing specific identifiers from the information. Examples of data to remove include:
- Full face photos and comparable images
- Biometric identifiers (including finger and voice prints)
- Social Security numbers
- Medical Record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Device identifiers and serial numbers
- Vehicle identifiers and serial numbers including license plates
- Any unique identifying numbers, characteristics or codes
- All information related to dates, apart from the year. This applies to admission and discharge dates, birth dates, death dates, ages over 89 years old, and elements of dates (including year) that are indicative of age
- Contact phone or fax numbers
- IP addresses
- Email addresses
- Website URLs
- Locations to areas more specific than state level
- Final two digits of Zip codes – the first three digits can be used provided the areas of full Zip codes starting with those three digits contain over 20,000 people. If not, it should be shown as 000. According to the Bureau of the Census, this means 17 zip codes must be represented as 000: 036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831. This list is subject to change as demographics shift.
More information about de-identification of PHI by Safe Harbor can be found under 45 CFR § 164.514(b)(2).
The U.S. Department of Health and Human Services’ Office for Civil Rights guidance on PHI de-identification can be found here.