PHI stands for
Protected Health Information. It can be formally defined as:
"Any
information about health status, provision of healthcare, or payment for
healthcare that can be linked to a specific individual."
Informally, it
includes any part of a patient's medical record or payment history.
Under the US Health
Insurance Portability and Accountability Act (HIPAA), PHI that is linked based
on the following list of 18 identifiers, must be treated with special care:
1.Names
2.All geographical
identifiers smaller than a state, except for the initial three digits of a zip
code if, according to the current publicly available data from the Bureau of
the Census: the geographic unit formed by combining all zip codes with the same
three initial digits contains more than 20,000 people; and [t]he initial three
digits of a zip code for all such geographic units containing 20,000 or fewer
people is changed to 000
3.Dates (other than
year) directly related to an individual
4.Phone numbers
5.Fax numbers
6.Email addresses
7.Social Security
numbers
8.Medical record
numbers
9.Health insurance
beneficiary numbers
10.Account numbers
11.Certificate/license
numbers
12.Vehicle
identifiers and serial numbers, including license plate numbers;
13.Device
identifiers and serial numbers;
14.Web Uniform
Resource Locators (URLs)
15.Internet Protocol
(IP) address numbers
16.Biometric
identifiers, including finger, retinal and voice prints
17.Full face
photographic images and any comparable images
18.Any other unique
identifying number, characteristic, or code except the unique code assigned by
the investigator to code the data
By removing certain
pieces of information *based on the above listed 18 items), health information
can be de-identified and, hence, can be used and shared publically , but still
governed by the Common Rule, which is specifically applicable to biomedical and
behavioral research involving human subjects in SUA. Removing these 18 elements
is also known as the "Safe Harbor Method".
HIPAA Privacy Rule
covers PHI in any medium, while HIPAA Security rule covers Electronic PHI or
ePHI.
De-Identifying PHI:
The
de-identification standard is covered under HIPAA Privacy Rule [45 CFR
164.514]. Some basic information regarding this rule is stated below:
(a) Standard: de-identification of protected health
information. Health information [defined
above] that does not identify an individual and with respect to which there is
no reasonable basis to believe that the information can be used to identify an
individual is not individually identifiable health information.
(b) Implementation
specifications: requirements for
de-identification of protected health information. A covered entity may determine that health
information is not individually identifiable health information only if:
(1) A person with
appropriate knowledge of and experience with generally accepted statistical and
scientific principles and methods for rendering information not individually
identifiable:
(i) Applying such principles and methods,
determines that the risk is very small that the information could be used,
alone or in combination with other reasonably available information, by an
anticipated recipient to identify an individual who is subject of the
information; and
(ii) Documents the
methods and results of the analysis that justify such determination; or
(2)
(i) The following
identifiers of the individual or of relatives, employers, or household members
of the individual, are removed:
(A) Names;
(B) All geographic
subdivisions smaller than a State, including street address, city, county,
precinct, zip code, and their equivalent geocodes, except for the initial three
digits of a zip code if, according to the current publicly available data from
the Bureau of the Censue:
(1) The geographic
unit formed by combining all zip codes with the same three initial digits
contains more than 20,000 people; and
(2) The initial
three digits of a zip code for all such geographic units containing 20,000 or
fewer people is changed to 000.
(C) All elements of
dates (except year) for dates directly related to an individual, including
birth date, admission date,, discharge date, date of death; and all ages over
89 and all elements of dates (including year) indicative of such age, except
that such ages and elements may be aggregated into a single category of age 90
or older;
(D) Telephone
numbers;
(E) Fax numbers;
(F) Electronic mail
addresses;
(G) Social security
numbers;
(H) Medical record
numbers;
(I) Health plan
beneficiary numbers;
(J) Account numbers;
(K)
Certificate/license numbers;
(L) Vehicle
identifiers and serial numbers, including license plate numbers;
(M) Device
identifiers and serial numbers;
(N) Web Universal
Resource Locators (URLs);
(O) Internet
Protocol (IP) address numbers;
(P) Biometric
identifiers, including finger and voice prints;
(Q) Full face
photographic images and any comparable images; and
(R) Any other unique
identifying number, characteristic, or code, except as permitted by paragraph
(c) of this section; and
(ii) The covered
entity does not have actual knowledge that the information could be used alone
or in combination with other information to identify an individual who is a
subject of the information.
(c) Implementation
specifications: re-identification. A covered entity may assign a code or other
means of record identification to allow information de-identified under this section
to be re-identified by the covered entity, provided that:
(1) Derivation. The code or other means of record
identification is not derived from or related to information about the
individual and is not otherwise capable of being translated so as to identify
the individual; and
(2) Security. The covered entity does not use or disclose
the code or other means of record identification for any other purpose, and
does not disclose the mechanism for re-identification.”
© 2012 Health Compliance Consultants
© 2012 Health Compliance Consultants
No comments:
Post a Comment