Understanding De-Identification of PHI

Posted by Marla Roshkoff - 06 December, 2012


The Department of Health and Human Services (HHS) released guidance on the two methods for de-identifying protected health information (PHI) under the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Once PHI is de-identified, it is no longer subject to HIPAA's privacy requirements.

Two methods are approved by HHS to de-identify PHI: the Expert Determination Standard and the Safe Harbor Standard. The guidance describes the background on de-identification, the process by which de-identified information is created, and the two options for performing de-identification.

HIPAA protects PHI, which is individually identifiable health information held or transmitted by a covered entity. PHI is information, including demographic information, which relates to an individual's present, past or future physical or mental health or condition, treatment of that condition, or payment for health care. To be PHI, the information must either identify the individual or include enough information so that there is a reasonable basis to believe that the information can be used to identify the individual. PHI is subject to HIPAA's privacy restriction.

The Privacy Rule recognizes that covered entities may need information relating to PHI, but can use that information in a de-identifiable format. HIPAA permits a covered entity to take PHI, redact it so it is no longer identifiable, and then use the de-identifed information freely. There are two de-identification methods acceptable under HIPAA. The first method is a formal determination by a qualified expert that the information is no longer PHI, and the second method is the removal of specified individual identifiers as well as the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Expert Determination Standard

There is no specific certification or degree a person has to maintain to be considered an "expert" authorized to de-identify information. HHS has stated that no single, universal solution addresses all privacy and identifiability issues. The expert is not required to use a particular process in making its determination that the risk of identification is small. However, HIPAA does require that the methods and results of the analysis must be make available upon request. The guidance provides specific tools for experts to use when working with covered entities to analyze and evaluate the data and the risk.

Safe Harbor Standard

To satisfy the safe harbor method, all of the following identifiers of the individual or relatives, employers, or household members of the individual must be removed:

  • Names
  • Geographic subdivisions smaller than a sate, including street address, city, county, precinct, ZIP code, geocode (except for the initial three digits of the ZIP, if publicly available from the Census Bureau within certain parameters
  • All elements of dates (except year) relating to an individual, including birth date, admission date, discharge date, death date, and ages over 89
  • Telephone numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Fax numbers
  • Device identifiers and serial numbers
  • Email addresses
  • Web universal resource locators (URLs)
  • Social security numbers
  • Internet Protocol (IP) addresses
  • Medical record numbers
  • Biometric identifiers, including finger and voice prints
  • Health plan beneficiary numbers
  • Full-face photographs and comparable images
  • Account numbers
  • Certificate/license numbers
  • Any other unique identifying number, characteristic, or code.

In addition, the covered entity must not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

The guidance provides detail on each of these data points, and discusses when removal will be considered accomplished for de-identifying PHI.

Expanding on existing rules, this new guidance may be helpful for covered entities to determine exactly what will be considered de-identified information that may be used without the need to comply with the HIPAA privacy requirements.

Topics: MyEnroll360 Security

Recent Posts

FSA Claim Reimbursement Direct Deposit

read more

Department of Labor Required Reporting Guide

read more

Question of the Week

read more