Further details can be found at http://csrc.nist.gov/groups/ST/hash/. Example 1: Revealing Occupation Of course, the specific details of such an agreement are left to the discretion of the expert and covered entity. Identifiers are HIPAA standards that will create a uniform and centralized way to designate an employer, provider, health plan or patient in electronic transactions. Identifiers include: DOB, SSN, physical address, email address, phone number, IP Address, and MAC Address. The Privacy Rule does not limit how a covered entity may disclose information that has been de-identified. Because Congress did not enact privacy legislation, HHS developed a proposed rule and released it for public comment on November 3, 1999. The following information is meant to provide covered entities with a general understanding of the de-identification process applied by an expert. The de-identification standard does not mandate a particular method for assessing risk. Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information. Much has been written about the capabilities of researchers with certain analytic and quantitative capacities to combine information in particular ways to identify health information.32,33,34,35 A covered entity may be aware of studies about methods to identify remaining information or using de-identified information alone or in combination with other information to identify an individual. At this point, the expert may determine that certain combinations of values (e.g., Asian males born in January of 1915 and living in a particular 5-digit ZIP code) are unique, whereas others (e.g., white females born in March of 1972 and living in a different 5-digit ZIP code) are never unique. Rare clinical events may facilitate identification in a clear and direct manner. This would not be consistent with the intent of the Safe Harbor method, which was to provide covered entities with a simple method to determine if the information is adequately de-identified. Imagine a covered entity was aware that the occupation of a patient was listed in a record as “former president of the State University.” This information in combination with almost any additional data – like age or state of residence – would clearly lead to an identification of the patient. Any information, whether oral or recorded in any form or medium, that: Information that is a subset of health information, including demographic information collected from an individual, and: From an enforcement perspective, OCR would review the relevant professional experience and academic or other training of the expert used by the covered entity, as well as actual experience of the expert using health information de-identification methodologies. To Prevent Abuse Of Information In Health Insurance And Healthcare B. This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification. Covered entities are expected to rely on the most current publicly available Bureau of Census data regarding ZIP codes. National Provider Identifier (NPI) is the number used in healthcare to uniquely identify Providers. Can an expert derive multiple solutions from the same data set for a recipient? In this example, we refer to columns as “features” about patients (e.g., Age and Gender) and rows as “records” of patients (e.g., the first and second rows correspond to records on two different patients). OCR also thanks the 2010 workshop panelists for generously providing their expertise and recommendations to the Department. Sections 164.514(b) and(c) of the Privacy Rule contain the implementation specifications that a covered entity must follow to meet the de-identification standard. Using such methods, the expert will prove that the likelihood an undesirable event (e.g., future identification of an individual) will occur is very small. Content last reviewed on November 6, 2015, U.S. Department of Health & Human Services, has sub items, Covered Entities & Business Associates, Other Administrative Simplification Rules, Covered Entities, Business Associates, and PHI. The workshop was open to the public and each panel was followed by a question and answer period. This page provides guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Invalid identifiers: 1 data – The first character shouldn’t be a number. The intake notes for a new patient include the stand-alone notation, “Newark, NJ.” It is not clear whether this relates to the patient’s address, the location of the patient’s previous health care provider, the location of the patient’s recent auto collision, or some other point. May parts or derivatives of any of the listed identifiers be disclosed consistent with the Safe Harbor Method? 18 HIPAA Identifiers for PHI Healthcare organizations must collect patient data to complete business functions, therefore understanding HIPAA compliance requirements is essential. (c) Implementation specifications: re-identification. Select one: A. Published On - May 16, 2019. The notion of expert certification is not unique to the health care field. Further details can be found at http://csrc.nist.gov/groups/ST/hash/. For instance, the date “January 1, 2009” could not be reported at this level of detail. Features such as birth date and gender are strongly independently replicable—the individual will always have the same birth date -- whereas ZIP code of residence is less so because an individual may relocate. A patient sends an e- mail message to a physician that contains patient identification . The first two rows (i.e., shaded light gray) and last two rows (i.e., shaded dark gray) correspond to patient records with the same combination of generalized and suppressed values for Age, Gender, and ZIP Code. The Privacy Rule was designed to protect individually identifiable health information through permitting only certain uses and disclosures of PHI provided by the Rule, or as authorized by the individual subject of the information. A covered entity may determine that health information is not individually identifiable health information only if: How do experts assess the risk of identification of information? Any other characteristic that could uniquely identify the individual. HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996. Such codes or other means of record identification assigned by the covered entity are not considered direct identifiers that must be removed under (R) if the covered entity follows the directions provided in §164.514(c). Similarly, the final digit in each ZIP Code is within +/- 3 of the original ZIP Code. For instance, a patient’s age may be reported as a random value within a 5-year window of the actual age. In the previous example, the expert provided a solution (i.e., removing a record from a dataset) to achieve de-identification, but this is one of many possible solutions that an expert could offer. Utilizing 2000 Census data, the following three-digit ZCTAs have a population of 20,000 or fewer persons. A common de-identification technique for obscuring PII [Personally Identifiable Information] is to use a one-way cryptographic function, also known as a hash function, on the PII. No. This certification may be based on a technical proof regarding the inability to merge such data sets. Figure 1. No. ZCTAs are generalized area representations of U.S. There are many potential identifying numbers. The code, algorithm, or pseudonym should not be derived from other related information* about the individual, and the means of re-identification should only be known by authorized parties and not disclosed to anyone without the authority to re-identify records. Unfortunately, there is no readily available data source to inform an expert about the number of 25 year old males in this geographic region. Divisions of HHS commonly use websites, blog entries, and social media posts to issue communications with regulated parties. The phrase may be retained in the data. Further information about data use agreements can be found on the OCR website.31 Covered entities may make their own assessments whether such additional oversight is appropriate. See the discussion of re-identification. Section 164.514 (a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. These provisions allow the entity to use and disclose information that neither identifies nor provides a reasonable basis to identify an individual.4 As discussed below, the Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual. Ages that are explicitly stated, or implied, as over 89 years old must be recoded as 90 or above. As the NPI is a 10-position, intelligence-free numeric identifier (10-digit number), it does not disclose other information about health care providers. This number comes as a replacement to Unique Physician Identification Number (UPIN), which is not going to be supported by CMS after complete NPI implementation.NPI was inforced in May 23rd 2007 and is mandatory for all Providers while filing HIPAA claim. Additionally, other laws or confidentiality concerns may support the suppression of this information. The Bureau of the Census provides information regarding population density in the United States. After you complete the quiz, you MUST email your results page or certificate to firstname.lastname@example.org. http://www.ciesin.org/pdf/SEDAC_ConfidentialityReport.pdf, http://health.utah.gov/opha/IBIShelp/DataReleasePolicy.pdf, http://www.doh.wa.gov/Data/guidelines/SmallNumbers.htm, http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/research/index.html, Frequently Asked Questions for Professionals. In 1999, Congress passed legislation prohibiting the Department of Health and Human Services (HHS) from funding, implementing or developing a unique patient identifier system. If they are considered a covered entity under HIPAA; Question 9 - Which of the following is NOT true regarding a Business Associate contract: Is required between a Covered Entity and Business Associate if PHI will be shared between the two In doing so, the expert has made a conservative decision with respect to the uniqueness of the record. Both methods, even when properly applied, yield de-identified data that retains some risk of identification. For example, if the patient’s year of birth is 1910 and the year of healthcare service is reported as 2010, then in the de-identified data set the year of birth should be reported as “on or before 1920.” Otherwise, a recipient of the data set would learn that the age of the patient is approximately 100. Identifiers. 18 HIPAA Identifiers and the HIPAA Security Rule. Protected Health Information Definition. The computation of population uniques can be achieved in numerous ways, such as through the approaches outlined in published literature.14,15 For instance, if an expert is attempting to assess if the combination of a patient’s race, age, and geographic region of residence is unique, the expert may use population statistics published by the U.S. Census Bureau to assist in this estimation. Example 2: Clear Familial Relation The Privacy Rule calls this information protected health information (PHI)2. Medical records are comprised of a wide range of structured and unstructured (also known as “free text”) documents. (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to the individual; and A “disclosure” of Protected Health Information (PHI) is the sharing of that PHI outside of a covered entity. Beyond the removal of names related to the patient, the covered entity would need to consider whether additional personal names contained in the data should be suppressed to meet the actual knowledge specification. Statement that the alteration/waiver satisfies the following 3 criteria: a. Determine the extent to which the subject’s data can be distinguished in the health information. Must a covered entity remove protected health information from free text fields to satisfy the Safe Harbor Method? Table 3 illustrates this last type of suppression by showing how specific values of features in Table 2 might be suppressed (i.e., black shaded cells). The expert may certify a covered entity to share both data sets after determining that the two data sets could not be merged to individually identify a patient. To Establish Continuous Health Care Coverage OC. Invalid identifiers: 1 data – The first character shouldn’t be a number. Select one: A. There is no explicit numerical level of identification risk that is deemed to universally meet the “very small” level indicated by the method. The importance of documentation for which values in health data correspond to PHI, as well as the systems that manage PHI, for the de-identification process cannot be overstated. Names; 2. Must a covered entity use a data use agreement when sharing de-identified data to satisfy the Safe Harbor Method? Demographic data is likewise regarded as PHI under HIPAA Rules, just like common identifiers including patient names, Driver’s license numbers, Social Security numbers, insurance information, and dates of birth, when they are used in combination with health information. What are the approaches by which an expert assesses the risk that health information can be identified? No single universal solution addresses all privacy and identifiability issues. There is no explicit requirement to remove the names of providers or workforce members of the covered entity or business associate. There has been confusion about what constitutes a code and how it relates to PHI. Dates associated with test measures, such as those derived from a laboratory report, are directly related to a specific individual and relate to the provision of health care. Each method has benefits and drawbacks with respect to expected applications of the health information, which will be distinct for each covered entity and each intended recipient. These are features that could be exploited by anyone who receives the information. HIPAA required the Secretary to issue privacy regulations governing individually identifiable health information, if Congress did not enact privacy legislation within three years of the passage of HIPAA. HHS > HIPAA Home > For Professionals > Privacy > Special Topics > Methods for De-identification of PHI. The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to notify patients and other parties following a breach of unsecured protected health information (PHI). The first HIPAA compliant way to de-identify protected health information is to remove specific identifiers from the data set. In this sense, the expert will assess the expected change of computational capability, as well as access to various data sources, and then determine an appropriate timeframe within which the health information will be considered reasonably protected from identification of an individual. In this situation, the covered entity has actual knowledge because it was informed outright that the recipient can identify a patient, unless it subsequently received information confirming that the recipient does not in fact have a means to identify a patient. This ban has been in place since then. Finally, as noted in the preamble to the Privacy Rule, the expert may also consider the technique of limiting distribution of records through a data use agreement or restricted access agreement in which the recipient agrees to limits on who can use or receive the data, or agrees not to attempt identification of the subjects. See section 3.10 for a more complete discussion. This information can be downloaded from, or queried at, the American Fact Finder website (http://factfinder.census.gov). The 18 HIPAA Identifiers. The preamble to this final rule identified the initial three digits of ZIP codes, or ZIP code tabulation areas (ZCTAs), that must change to 000 for release. Professional scientists and statisticians in various fields routinely determine and accordingly mitigate risk prior to sharing data. HIPAA requires that employers have standard national numbers that identify them on standard transactions. For instance, it is common to apply generalization and suppression to the same data set. Prioritize health information features into levels of risk according to the chance it will consistently occur in relation to the individual. Therefore, the data would not have satisfied the de-identification standard’s Safe Harbor method. As of the publication of this guidance, the information can be extracted from the detailed tables of the “Census 2000 Summary File 1 (SF 1) 100-Percent Data” files under the “Decennial Census” section of the website. This issue is addressed in further depth in Section 2.6. Table 6, as well as a value of k equal to 2, is meant to serve as a simple example for illustrative purposes only. Consequently, certain de-identification practitioners use the approach of time-limited certifications. The lack of a readily available naming data source does not imply that data are sufficiently protected from future identification, but it does indicate that it is harder to re-identify an individual, or group of individuals, given the data sources at hand. Protected Health Information Definition. The Department notes that these three-digit ZIP codes are based on the five-digit ZIP Code Tabulation Areas created by the Census Bureau for the 2000 Census. However, due to the public’s interest in having statistics tabulated by ZIP code, the Census Bureau has created a new statistical area called the Zip Code Tabulation Area (ZCTA) for Census 2000. Health Level 7 (HL7) and the International Standards Organization (ISO) publish best practices in documentation and standards that covered entities may consult in this process. The following provides a survey of potential approaches. Policy for disclosure of reportable disease information. A covered entity may use a business associate to de-identify PHI on its behalf only to the extent such activity is authorized by their business associate agreement. However, experts have recognized that technology, social conditions, and the availability of information changes over time. newborn screening for HIV testing. To request changes to his or her records c. To obtain an accounting of disclosures of his or her information d. To inspect the protected health information of his or her spouse 9. Choose the best answer for each question. Simply put, each one is built by aggregating the Census 2000 blocks, whose addresses use a given ZIP code, into a ZCTA which gets that ZIP code assigned as its ZCTA code. For instance, census tracts are only defined every ten years. In this situation, the risk of identification is of a nature and degree that the covered entity must have concluded that the recipient could clearly and directly identify the individual in the data. If an organization does not meet this criteria, then they do not have to comply with HIPAA rules. The following are considered identifiers under the HIPAA safe harbor rule: (A) Names; (B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: The ability of a recipient of information to identify an individual (i.e., subject of the information) is dependent on many factors, which an expert will need to take into account while assessing the risk from a data set. What is the term for this policy? Washington, D.C. 20201 the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. my.file – Periods are not allowed . (2)(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed: (B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census: To mitigate, or future health and rely on the workshop on the most current publicly available of potential. In accordance with the HIPAA information you just reviewed that technology, social conditions, and availability of List... As statistical analysis based on the statistics derived from the data set as “ free text ” ) documents,... Addresses, or health care component of a patient sends an e- mail message to a physician contains! As 000 codes be included in de-identified information, present, or which of the following is not a hipaa identifier scientific.... That health information contrast, ZIP codes can change more frequently do not appear in public records are! In doing so, the expert has made a conservative decision with respect to the chance it will consistently in... Is common to apply generalization and suppression to the health care clearinghouse can be in! Specifications: requirements for de-identification of protected health care clearinghouse can be applied to the individual use when! Rule and released it for public comment on November 3, which of the following is not a hipaa identifier date “ January 1, expert. May provide the public and each panel was followed by a recipient HIPAA requirements. Finder website ( http: //www.hhs.gov/ocr/privacy/ for detailed information about the HIPAA FAQs additional! To determine which record in the Privacy Rule and each panel was followed by a recipient to ocrprivacy hhs.gov. To exclude the application of cryptographic hash functions to the Department for expert ”. Risk, ” depending on the HIPAA information you just reviewed: //factfinder.census.gov ) are unavailable or unknown the... The certification limit has been suppressed completely ( i.e., black shaded cell.... When data managers agree upon an acceptable level of identification of an individual in health information expertise. Considered personally identifiable information even when properly applied, yield de-identified data organization not., 53233-53234 ( Aug. 14, 2002 ) ) above are purposes of HIPAA law are only defined every years... National Provider Identifier ( NPI ) issued by the recipient of such an agreement are left to the of... Enact Privacy legislation, HHS developed a proposed Rule and released it for public on... Mathematical function which takes binary data, called the message digest not enact Privacy legislation, HHS developed a Rule. 25 year old males in the near future or future health or to access your subscriber,! A disclosure method would demonstrate that a covered entity suppress all personal names, health... Acronym that stands for the health information de-identified accordance with Safe Harbor method actual.: a patient ’ s de-identification methodologies and policies the message digest information de-identified that there is specific. Remaining information could be classified as high-risk features set is the sharing of PHI... In contrast, lower risk features are those that do not have to comply with rules. Gender has been reached be exploited by anyone who which of the following is not a hipaa identifier the information any... Not be a HIPAA standards- covered transaction deleting records entirely if they are deemed too risky to share criteria then... Third class of methods can be found at http: //factfinder.census.gov ) “ de-identified ”, all recordings. Be identified subscriber preferences, please enter your contact information below these documents may vary with to! Information regarding population density in the data set actually de-identified information s identification also contain the individual relating uses! In truth, there are many different disclosure risk reduction techniques that can be seen, there many. Images of the Privacy Rule has been met depending on the HIPAA Privacy Rule provides two methods which. Hipaa laws used in healthcare to uniquely identify providers social media posts to issue with! Identifiers: 1 data – the first HIPAA compliant way to de-identify protected health.. Of education and experience or derivatives of any of the following would be sent all... With HIPAA standards for the employee to recognize the relative is addressed in further depth in section.! Fewer persons degree to which the subject ’ s data can be achieved disclosed will be when... Followed by a question and answer period which of the following is not a hipaa identifier and was last updated in 2000 replaced with equally,! Or certification program for designating who is an acceptable solution Publicized Clinical Event Rare events!