b.) De-Identified Health Information
The Privacy Rule does not apply to the use or disclosure of de-identified health information.10 Health information is considered de-identified when it no longer identifies or provides a reasonable basis to identify an individual. Information may be de-identified using either the safe harbor method or the statistical method.
To properly de-identify information in compliance with the safe harbor method, a covered entity: 1) must remove certain identifiers relating to an individual or the individual’s relatives, employers, or household members; and 2) cannot have actual knowledge that the remaining information could be used to identify an individual.11 If all of the following identifiers are removed, the information is no longer considered PHI and may be disclosed to anyone without regard to HIPAA:
- Names
- All geographic subdivisions smaller than a state, including: street, city, county, precinct, and zip code. However, the first three digits of a zip code can be used if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people. If the unit contains less than 20,000 people, the initial digits must be changed to 000.
- All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, and date of death. For individual over the age of 89, all dates, including the birth year, must either be removed or aggregated into a category of persons who are 90 and older.
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web universal resource locators (URLs) and Internet protocol (IP) address
- Biometric identifiers, including finger and voice prints
- Full face photos and comparable images
- Any other unique identifying number, characteristic, or code, except those permitted for re-identification purposes
Alternatively, information may be de-identified using the statistical method, in which a statistical expert applies generally accepted statistical and scientific principles to verify that an individual’s identity is protected from exposure under reasonable expectations. The expert must determine that there is no more than a very small risk of having an anticipated recipient use the information, alone or in conjunction with other reasonably available information, to identify an individual.12 HITECH requires HHS to develop further guidelines regarding de-identification; the department held a workshop to that end in March 2010.13
Footnotes
- 10. 45 C.F.R. § 164.514(a).
- 11. 45 C.F.R. § 164.514(b).
- 12. Id.
- 13. HHS.gov, Workshop on the HIPAA Privacy Rule’s De-identification Standard, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-id... (last visited April 27, 2012).