DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
PHI excludes health information that is de-identified (e.g., that has individual identifiers removed) according to specific standards. Under the HIPAA Privacy Rule, there are two standards, or methods, that a covered entity can use to de-identify PHI. These include the “Safe Harbor” method and the “Expert Determination” method.
Health information that is de-identified can be used and disclosed by a covered entity, including a researcher who is a covered entity, without authorization or any other permission specified in the Privacy Rule.
Safe Harbor Method
Under the Safe Harbor method, a covered entity can de-identify PHI by removing all 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information. Under this method, the identifiers that must be removed are the following:
(A) Names
(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all ZIP codes with the same three initial digits
contains more than 20,000 people; and
(2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer
people is changed to 000
(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
(D) Telephone numbers
(E) Vehicle identifiers and serial numbers, including license plate numbers
(F) Fax numbers
(G) Device identifiers and serial numbers
(H) Email addresses
(I) Web Universal Resource Locators (URLs)
(J) Social security numbers
(K) Internet Protocol (IP) addresses
(L) Medical record numbers
(M) Biometric identifiers, including finger and voice prints
(N) Health plan beneficiary numbers
(O) Full-face photographs and any comparable images
(P) Account numbers
(Q) Any other unique identifying number, characteristic, or code, except as permitted by the rules on re-identification (discussed below).
(R) Certificate/license numbers
Expert Determination Method
Covered entities and business associates may also use statistical methods to establish de-identification instead of removing all 18 identifiers. A covered entity may obtain certification by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" that there is a "very small" risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information.
The person certifying statistical de-identification must document the methods used as well as the result of the analysis that justifies the determination. A covered entity is required to keep such certification, in written or electronic format, for at least 6 years from the date of its creation or the date when it was last in effect, whichever is later.
How Can PHI That Has Been De-identified, Be Re-identified?
A covered entity can re-identify PHI that has been de-identified. Re-identification can be accomplished by assigning a unique code (or other means of record identification) to the set of de-identified health information.
If a covered entity or business associate successfully re-identifies the subject of de-identified information it maintains, the health information now related to a specific individual would again be protected by the Privacy Rule, as it would meet the definition of PHI. Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified is also considered a disclosure of PHI.
There are two rules regarding the code or other means of record identification selected:
(1) Derivation. The code or other means of record identification may not be derived from or related to information about the individual and may not otherwise capable of being translated so as to identify the individual; and
(2) Security. The covered entity may not use or disclose the code or other means of record identification for any other purpose, and may not disclose the mechanism for re-identification.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article