As healthcare providers, protecting patient information is mandatory under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, there are many times where patient information is required to be used outside of just the patient care, for instance, in performing research. In order to do this, without breaching HIPAA rules and regulations, practitioners need to “de-identify” certain information or data, or to remove certain patient information, in order to utilize the information pursuant and in compliance with HIPAA.
Understanding HIPAA and De-Identification
As we all know, HIPAA is a way to safeguard the protected information of patients or individuals, referred to as Protected Health Information (PHI). Should a practitioner need to utilize PHI, certain specific personal identifiers can be removed in order to protect the information and be in compliance with HIPAA. This process is called de-identification, and it is a foundational step in ensuring that personal health information (PHI) is not improperly disclosed.
So the question is: What are these personal identifiers? There are eighteen (18) identifiers that can be removed to safely protect the information of a patient under HIPAA’s safe harbor method. They are as follows:
- Name
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image – Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual
Removing these identifiers ensures the data cannot be traced back to an individual—making it safe to use within the confines of the rules and regulations of HIPAA.
Why De-Identifying Data Matters
The de-identification process is vital to maintain the privacy standards set by HIPAA and prevents improper sharing of PHI with unauthorized third-parties. It becomes especially important when conducting research, as de-identified data can be shared with third-parties without breaching compliance, and still provide useful information to help in future inventions or protocols that can be beneficial to the public as a whole.
Final Thoughts
Whether you are managing records, conducting research, or communicating with third-parties, understanding and applying the principles of HIPAA under the safe harbor method, the de-identification process, is essential to protecting your patients personal information and in turn, maintaining HIPAA compliance and protecting your practice.
To learn more about how to stay compliant, reach out to your lawyer with any questions you may have.
Recent Comments