Back to Resources

HIPAA Privacy Rule and De-Identification of Health Information

posted on Wed, Apr 27 2016 9:38 am by The Network

The Network recently received a request from a health researcher working on anonymizing health data to comply with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). One of the fields of the data the researcher is working with lists the health care provider for each patient. The researcher asked the Network if failing to de-identify the health care provider could be seen as a violation of privacy under HIPAA.

Under the HIPAA privacy rule, protected health information (PHI) is health information that is individually identifiable: it either identifies an individual, or there is a reasonable basis to believe the information can be used to identify the individual who is the subject of protected health information (i.e. the patient) (45 CFR 160.103).

The Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in §164.514(a)-(b). De-identified information is not subject to HIPAA.

 The de-identification provisions provide two de-identification methods:

  • a formal determination by a qualified expert
  • or
  • what is known as the “safe harbor” method, which contains two prongs:
    • the removal of specified individual identifiers (names, zip codes, email addresses, social security numbers, and so forth); and
    • the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

       

The “individual identifiers” of the safe harbor method relate to the patient or to relatives, employers, or household members of the patient. The name of a health care provider or information about the health care provider is not an identifier, so the first prong of “safe harbor” would not require the removal of health care provider information from the data.

However, the second prong of the safe harbor method would also need to be met: absence of actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual.

If the requester has actual knowledge that health care provider information could be used alone or in combination with other information to identify the individuals to which their data pertains, the data would need to be purged of health care provider data. If not, health care provider information could be left in the data set.

Need more information?

Ask a Question