De-Identification of Protected Health Information
Category: Privacy
Date: March 2003
Reviewed/Revised: April 2013
Purpose
To comply with HIPAA Rule(s) 164.502 (d) and 164.514 (a-c). The referenced section of the HIPAA or Privacy law defines the process for de-identifying patient health information for the purpose of use and disclosure and the requirements for Covered Entities concerning de-identified information. For the purpose of the HIPAA Rules, the covered Entity is defined as all health care facilities owned and operated by EVMS Medical Group et al., including physician practices, clinics, outpatient facilities and hospitals.
Policy/Requirements
I. Creation of De-Indentification Information
Covered Entities have the option to use protected patient health information in a de-identified format. Once protected health information is de-identified it is not subject to the privacy rule; e.g. authorization. If the Covered Entity discloses a key or mechanism for re-identification of the health information, the exemption to the privacy rules no longer applies, e.g. authorization is required.
II. Process for De-identification of Protected Health Information
- Protected health information is considered de-identified when the Covered Entity has no reasonable basis to believe that the information can be used to identify the individual.
- Compliance with the above requirement can be demonstrated by one of two methods.
- The first method is to have the formula for de-identification reviewed using scientific principles and statistical methods to ensure that the information being provided or a combination of the provided information plus other readily available information would not result in the individual identification of a patient. The actual review and name and qualifications of the reviewer must be documented and archived prior to use of the information.
- The second method for de-identification would be to follow specifically a formula defined in a safe harbor to the law.
- The following data must be removed:
- Name;
- Location of individual (can use state, no location more specific);
- Dates (all dates related to the subject of the information, e.g. birth dates, admission dates, discharge dates, encounter dates, surgery dates, etc.);
- All numerical identifiers (medical record numbers, SSN, health plan beneficiary numbers, addresses, telephone numbers, e-mail, fax numbers, zip codes, social security numbers, driver’s license numbers, vehicle identifiers, etc.);
- Biometric identifiers;
- Photographic images;
- Any other unique identifying numbers, characteristics or codes that could identify an individual.
- The following data may be used:
- age (age 90 and over must be aggregated to prevent the identification of very old individuals);
- Race
- Ethnicity
- Marital status
- Codes (a random or fictional code may be used to link cases or re-identify the health information at a later time; codes may not be a derivative of the individual’s social security number or other identifiable numerical codes, e.g. birth date, fax number, etc.)
- The Covered Entity is prohibited from disclosing the mechanisms for reidentification, e.g. tables, codes or algorithms.
- Questions concerning de-identification of patient information should be forwarded to the Privacy Office.