Sharing PHI Under HIPAA
The sharing of Protected Health Information is not allowed as per the Privacy Rule, so if a CE wants to send that data – for marketing reasons, research or any other aim – single records must be de-identified. If it is not possible to identify an individual from the data, the information is not thought of as PHI.
Therefore, if all personal identifiers are taken away from the data that is to be shared, the CE will be free to do with the data whatever they wish, as the data will no longer be thought of as PHI.
Healthcare suppliers may wish to complete comparative drug effectiveness studies in order to check the effectiveness of different treatment methods on patient outcomes for instance. Medical information may be required for research aims or the CE might want to use data to assess internal policies and processes.
There are many advantages to using PHI; however CEs must be careful about the de-identification of data and sharing that data. While personal identifiers can be deleted from PHI, in some instances it may still be possible to connect the data back to an individual, which would breach HIPAA regulations.
Get de-identification right and your group can use the data. Get it wrong and you are likely to bring them to the attention of the Office for Civil Rights and could result in a financial penalty for violating the Privacy Rule.
In line with the Privacy Rule, CEs have two methods they can use to de-identify healthcare information.
- Deleting specific individual identifiers; once there is an absence of actual knowledge by the covered body that the remaining information could be used on its own – or along with – other information to identify patients.
- Hiring a qualified expert to formally determine that the data has been properly de-identified. This method applies statistical and scientific principles to ensure that only a very small danger of identification remains.
If the second method is chose, the technique used to de-identify the data must be fully recorded – this will be sought by the OCR if the CE is selected for audit – including the reasoning behind why individuals are deemed to be unidentifiable.
For the first method, all personal identifiers must be deleted from the data. Under HIPAA there are 18 different personal identifiers – as listed here – and all must be removed from the data before it is given to a Business Associate, other covered entity or any other individual, company or group.
List of HIPAA Privacy Rule Personal Identifiers:
- Full or partial names and initials
- Geographic information lower than a state (except the first three digits of a zip code if the geographic unit formed by linking all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is amended to 000).
- Dates (apart from year) directly linked to an individual, including birth date, admission date, discharge date, and date of death and all ages over 89 and all parts of dates (including year) indicative of such age (except that such ages and elements may be aggregated into a single category of age 90 or over)
- Telephone details
- Fax contact numbers
- Email details
- Social security information
- Medical record data
- Health plan beneficiary records
- Account numbers information
- Certificate/licenses
- Vehicle identifiers and serial numbers, such as license plate numbers
- Device identifiers and specific serial numbers
- Website details/Universal Resource Locators (URLs)
- IP) addresses
- Biometric identifiers, such as finger and voice prints
- Face photographic images and any other comparable images
Deleting personal identifiers alone may not be sufficient to reduce the risk of a patient being identified from the information. For example, if all of the above personal identifiers are taken away from the data and zip codes remain, it could, for example, be possible to identify an individual if information such as annual salary is included. This could be so if an individual is listed as earning over $1,000,000 a year, yet they are living in a zip code where the average earnings are much lower.
By suppressing certain information – not giving it – data can be de-identified with little danger of that person being re-identified. In the above scenario, the CE could suppress salary information. A different method is generalization, where specific data such as a patient’s age is changed into a general age range. For example, a 62 year old man could be classified as being in the 60-70 age range.
Perturbation permits very specific data to be provided by replacing actual data with comparable values. The above 62-year old could be listed as being 64 years old.
There has been much discussion in recent years of the benefits of using healthcare data for research to enhance treatment outcomes and develop new treatment programs. We are certainly likely to see healthcare data used much more often in the future; however it is vital that any CE opting to de-identify PHI can certify that all data has been properly de-identified, that no personal identifiers remain, and that it is not possible to re-identify a person.
However, it does not mean it must be made impossible. The CE may wish to re-identify the person at a later date. This is permissible under the Privacy Rule, provided it is only the CE that can do this and not the person or entity to which the data has been given.
For example, the CE could allocate a unique code to each individual record that will permit it to be tied to personal identifiers at a later date. Provided the code is not shared – or any other means of record identification, including the procedure used to de-identify the data – this is allowed under the Privacy Rule. However, those codes must not be derived from the PHI or be linked to personal information about the individual.
Further additional information on the de-identification of healthcare data can be obtained from the Department of Health and Human Services.