De-identification of Protected Health Information
Healthcare companies and business associates that would like to access or share protected health information (PHI) need to do so according to the HIPAA Privacy Rule, which restricts the allowed uses and disclosures of PHI. But with the de-identification of PHI, the restrictions of the HIPAA Privacy Rule no longer apply. What does it mean to de-identify PHI?
HIPAA Privacy Rule limitations only applies to individually identifiable protected health information. If PHI is de-identified or anonymized, which means there is no way to determine the identity of the person, and re-identification of the person is not possible, the PHI can now be freely shared or disclosed.
The de-identification of PHI allows the sharing of health data in different ways without breaking patient privacy or needing patient consent or authorization before doing so. De-identified PHI can be disclosed for medical research studies, comparative studies, policy evaluations and other studies and analysis.
There are two ways to proceed with HIPAA-compliant de-identification of PHI: By Safe Harbor or By Expert Determination. None of the methods of PHI de-identification will eliminate all risk of re-identifying the patients, but both methods will minimize risk to a suprisingly low and acceptable level. Make use of any method described below to de-identify PHI so that it is no longer subject to HIPAA Privacy Rule restrictions.
Safe Harbor Method – Removing Specific Identifiers
This method removes certain identifiers from the data set. The identifiable information which should be taken out are:
- Geographic subdivisions smaller than a state
- All elements of dates (other than year) associated with a person (such as admission and discharge dates, date of birth, date of death, all ages over 89 years old, and elements of dates (which include year) that indicate age)
- Contact numbers
- Email addresses
- Social Security numbers
- IP addresses
- Website URLs
- Medical record numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Account numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Biometric identifiers (including finger and voice prints)
- Full face photos and comparable images
- Any unique identifying numbers, characteristics or codes
When it comes to zip codes, covered entities can use the first three digits as long as the geographic unit created by mixing those first three digits has over 20,000 people. If that geographical unit has less than 20,000 people it must be changed to 000. Based on the Bureau of the Census, that means 17 zip codes should have the first three digits adjusted to zero.
Expert Determination Method
This method bears some risk that a person may be identified. But the risk is very low that it would still satisfy the HIPAA Privacy Rule requirements. HIPAA covered entity or business associates must inquire the opinion of a statistical expert to make sure that the risk of re-identifying a person from the data set is really small. In such instances, the techniques used should be documented and kept by the covered entity or business associate and made accessible to government bodies in case of an investigation or audit.
The expert should be an individual with proper know-how and experience of utilizing statistical and scientific principles and techniques for removing or modifying information to ensure that it is not individually identifiable. It is important that the expert has the experience of deidentifying data. Regulators will be looking at that experience in case of an audit, and not the expert’s specific skills or certifications. When applying methods and principles, the expert should find out if the risk of reidentification of a person is really small. The risk of reidentification ought to be very small when the data is used by itself, and should stay very small if the data happen to be coupled with other available information that a recipient has access to.
HIPAA is not defining the level of risk of re-identification besides saying that it ought to be ‘very small’. The expert must specify ‘very small’ in connection with the context of the data set, the particular environment, and the capability of a person to be able to reidentify persons. For more details on de-identifying PHI using expert determination see 45 CFR § 164.514(b)(1). The U.S. Department of Health and Human Services’ Office for Civil Rights has released guidance on de-identification of PHI which is available on this link.