Closer look at HIPAA rules

April 10, 2013

According to the Health Insurance Portability and Accountability Act, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe that it can be used to identify an individual.

According to Section 164.514(a) of the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe that it can be used to identify an individual.

Sections 164.514(b) and(c) of the rule identifies two methods by which information can be de-identified.

Under the “expert determination” method, a covered entity may determine that health information is not individually identifiable health information only if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information. This person also must document the methods and results of the analysis that justify such determination.

Under the “safe harbor” method, the following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

  • Names.

  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census: 

  • the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and 

  • the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.

  • All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

  • Telephone numbers.

  • Fax numbers.

  • Email addresses. 

  • Social security numbers.

  • Medical record numbers. 

  • Health plan beneficiary numbers.

  • Account numbers. 

  • Certificate/license numbers.

  • Vehicle identifiers and serial numbers, including license plate numbers.

  • Device identifiers and serial numbers.

  • Web universal resource locators (URLs).

  • Internet Protocol (IP) addresses.

  • Biometric identifiers, including finger and voice prints.

  • Full-face photographs and any comparable images.

  • Any other unique identifying number, characteristic, or code except as permitted.

Also under this method, the covered entity must not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

For more information, see http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf.