Health Information Compliance Alert

Published on Tue Sep 30, 2003 PDF

By now you should be able to recognize a potential privacy rule violation in your sleep, but were you or your staff snoozing when it came to de-identifying protected health information?
 
Below is a list of 20 items that includes the privacy rule's 18 identifiers. However, two of the items on the list don't fit; that is, there are two "false" identifiers.

Can you and your fellow staffers list which items are the real identifiers and which are fakes?

PHI Identifiers: Which Two Don't Belong?

1. Names
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Dataset of vital signs
8. Social Security numbers
9. Medical record numbers
10. Health plan beneficiary numbers
11. Tissue samples
12. Account numbers
13. Certificate/license numbers
14. Vehicle identifiers and serial numbers, including license plate numbers
15. Device identifiers and serial numbers
16. Web Universal Resource Locators (URLs)
17. Internet Protocol (IP) address numbers
18. Biometric identifiers, including finger and voice prints
19. Full face photographic images and any comparable images
20. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

There are also additional standards and criteria to protect individual's privacy from re-identification. Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed. For example, a subject's initials cannot be used to code their data because the initials are derived from their name. Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there was a way to identify the individual even though all of the 18 identifiers were removed. 



ANSWERS:

Numbers 7 (Dataset of Vital Signs) and 11 (Tissue Samples) are not identifiers under the privacy rule. However, there is a caveat: While neither a dataset of vital signs nor tissue samples are not considered to be part of the privacy rule's list of 18 identifiers by themselves, if either were combined with any other identifier listed above, each would be considered an identifier under HIPAA. For example, if either the dataset or tissue sample included a medical record number, each would be considered PHI.