How Can PHI be Shared Under HIPAA?
Under the Health Insurance Portability and Accountability Act, specifically the HIPAA Privacy Rule, Protected Health Information (PHI) cannot be shared with unauthorized individuals. Since the Omnibus Rule was introduced, covered entities (CE) are also not permitted to use PHI for marketing purposes, so how can PHI be shared under HIPAA?
How Can PHI be Shared Under HIPAA?
The sharing of Protected Health Information is not permitted under the Privacy Rule, so if a CE wants to share that data – for marketing purposes, research or any other reason – individual records must be de-identified. If it is not possible to identify an individual from the data, the information is not considered to be PHI.
Therefore, if all personal identifiers are striped from the data, the CE will be free to do with the data whatever they wish, as the data will no longer be considered to be PHI.
Why De-identify Data?
Healthcare providers may wish to conduct comparative drug effectiveness studies in order to check the effectiveness of different treatment methods on patient outcomes for example. Medical information may be required for research purposes or the CE might want to use data to assess internal policies and procedures.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
There are many benefits to using PHI; however CEs must be careful about the de-identification of data and sharing that information. While personal identifiers can be removed from PHI, in some cases it may still be possible to link the data back to an individual, which would breach HIPAA regulations.
Get de-identification right and your organization can use the data. Get it wrong and you are likely to attract the attention of the Office for Civil Rights and could potentially incur a financial penalty for violating the Privacy Rule.
De-Indentifying Data Under HIPAA
Under the Privacy Rule, CEs have two methods they can use to de-identify healthcare data.
- The removal of specific individual identifiers; provided there is an absence of actual knowledge by the covered entity that the remaining information could be used alone – or in conjunction with – other information to identify patients.
- Use a qualified expert to formally determine that the data has been correctly de-identified. This method applies statistical and scientific principles to ensure that only a very small risk of identification remains.
If the second method is used, the technique used to de-identify the data must be fully documented – this will be required by the OCR if the CE is selected for audit – including the reasoning behind why individuals are deemed to be unidentifiable.
For the first method, all personal identifiers must be stripped from the data. Under HIPAA there are eighteen different personal identifiers – as listed below – and all must be removed from the data before it is given to a Business Associate, other covered entity or any other individual, company or organization.
HIPAA Privacy Rule Personal Identifiers:
- Names – Full or partial names and initials
- Geographic information smaller than a state (except the first three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000).
- Dates (except year) directly related to an individual, including birth date, admission date, discharge date, and date of death and all ages over 89 and all elements of dates (including year) indicative of such age (except that such ages and elements may be aggregated into a single category of age 90 or older)
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
De-Identifying PHI Using Suppression, Generalization and Perturbation
The removal of personal identifiers alone may not be sufficient to reduce the risk of a patient being identified from the data. For instance, if all of the above personal identifiers are stripped from the data and zip codes remain, it could, for instance, be possible to identify an individual if information such as annual salary is included. This could be the case if an individual is listed as earning over $1,000,000 a year, yet they are living in a zip code where the average earnings are considerably lower.
By suppressing certain information – not providing it – data can be de-identified with little risk of that person being re-identified. In the above case, the CE could suppress salary information. An alternative method is generalization, where specific data such as a patient’s age is transformed into a general age range. For example, a 62 year old man could be classified as being in the 60-70 age range.
Perturbation allows very specific data to be provided by replacing actual data with similar values. The above 62-year old could be listed as being 64 years old.
Maintaining HIPAA Compliance when De-Identifying PHI
There has been much talk in recent years of the benefits of using healthcare data for research to improve treatment outcomes and develop new treatment programs. We are certainly likely to see healthcare data used much more frequently in the future; however it is essential that any CE opting to de-identify PHI can certify that all data has been correctly de-identified, that no personal identifiers remain, and that it is not possible to re-identify an individual.
This does not mean it must be made impossible. The CE may wish to re-identify the individual at a later date. This is allowable under the Privacy Rule, provided it is only the CE that can do this and not the person or entity to which the data has been supplied.
For instance, the CE could allocate a unique code to each individual record that will allow it to be tied to personal identifiers at a later date. Provided the code is not disclosed – or any other means of record identification, including the procedure used to de-identify the data – this is permitted under the Privacy Rule. However, those codes must not be derived from the PHI or be related to personal information about the individual.
Further information on the de-identification of healthcare data can be obtained from the Department of Health and Human Services.