Question:I know de-identified health information is not subject to HIPAA regulations. What is de-identified information?
Answer: The HIPAA Privacy Rule permits us to de-identify protected health information (PHI) so that such information may be used and disclosed freely, without being subject to HIPAA's restrictions. De-identified information contains no data elements that relate to a specific individual. In order to de-identify PHI, the following 18 individual identifiers must be removed:
2. Geographic subdivisions smaller than a state
3. All elements of dates (except year) for dates related to an individual & ages over 89
4. Telephone numbers
5. Fax numbers
6. E-mail addresses
7. Social security numbers
8. Medical record numbers
9. Full face photographic images and any comparable images
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Health plan beneficiary numbers
18. Any other unique identifying number, characteristic or code (includes prescription numbers), except as permitted by re-identification provisions
As you can see, many data elements must be removed from PHI to de-identify it. Please refer to Use and Disclosure of PHI policy for additional information.
If you're a manager, please ensure all of your employees are informed of the contents of these messages and how it applies to your work area. Some ways of sharing the information include discussions during staff meetings, printing and posting this message or asking your employees if they have any further questions.