HIPAA Privacy Rule: WHAT?
De-identification of Protected Health Information (PHI)
Privacy Rule requirements do not apply to information that has been de-identified.
ACTION NEEDED:
The Privacy Rule makes two methods available for de-identifying health information:
| 1. |
Remove the 18 specific identifiers listed in the Privacy Rule and determine there is no other information that may identify the individual. The identifiers are: |
|
names
geographic subdivisions smaller than a state
all elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used)
telephone numbers
FAX numbers
electronic mail addresses
Social Security numbers
medical record numbers
health plan beneficiary numbers
account numbers
certificate/license numbers
vehical identifiers and serial numbers including license plates
device identifiers and serial numbers
web URLs
internet protocol addresses
biometric identifiers (including finger and voice prints)
full face photos and comparable images
any unique identifying number, characteristic or code
|
| 2. |
Obtain an opinion from a qualified statistical expert that the risk of identifying an individual is very small under the circumstances; the methods and justification for the opinion should be documented. |
Source: University of Wisconsin-Madison - www.wisc.edu
|
