DISCLAIMER: This article should not be taken as legal advice, instead it is a basic introduction to some changes that have been promulgated to the HIPAA/HITECH Acts final rules.
PHI stands for Protected Health Information. It can be formally defined as “Any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual.” Informally, it includes any part of a patient’s medical record or payment history that can be linked back to the patient.
Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers, must be treated with special care:
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and [t]he initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
By removing certain pieces of information (based on the above listed 18 items), health information can be de-identified and, hence, can be used and shared publicly , but still governed by the Common Rule, which is specifically applicable to biomedical and behavioral research involving human subjects in USA. Removing these 18 elements is also known as the “Safe Harbor Method”.
HIPAA Privacy Rule covers PHI in any medium, while HIPAA Security rule covers Electronic PHI or ePHI.
The de-identification standard is covered under HIPAA Privacy Rule [45 CFR 164.514]. Some salient points regarding this rule are stated below:
(a) Standard: de-identification of protected health information. Health information [defined above] that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
(b) Implementation specifications: requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination; or
2. (i) The above listed 18 identifiers of the individual or of relatives, employers, or household members of the individual, are removed.
(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:
(1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
(2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”