The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Source: USDHHS (2013). Summary of the HIPAA Privacy Rule. Health Information Privacy. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
De-Identifying of Protected Health Information
Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. Two methods can be used to achieve de-identification in accordance with the HIPAA Privacy Rule- Expert Determination and Safe Harbor. Under the “Safe Harbor Method” identifiers (list provided in the back) of the individual or of relatives, employers, or household members of the individual requires removal.
Source: USDHHS (2013). Summary of the HIPAA Privacy Rule. Health Information Privacy. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
The following identifiers of the individual or of relatives, employers, or household members of the individual, are to be removed to comply with HIPAA regulations:
1. Names
2. All geographic subdivisions smaller than state including:
a) Street Address
b) City
c) County
d) Precinct
e) Zip code and equivalent geo code
3. All elements of dates (except year) directly related to an individual including:
a) Birth date
b) Admission date
c) Discharge date
d) Date of death
e) All ages over 89 (including date elements indicative of such age [including year],
except when all ages of 90 or older can be aggregated into a single category)
4. Telephone numbers
5. Fax numbers
6. E-mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers (including license plate numbers)
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger/voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic or code
Sources:
United States Department of Health and Human Services (2013). Summary of the HIPAA Privacy Rule. Health Information Privacy. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html#rationale, PP-19
Protected Health Information, Limited Data Set, and De-Identification of Protected Health Information. (2013). Retrieved August 1, 2013 from http://depts.washington.edu/comply/docs/PP_19.pdf