Complying With HIPAA De-Identification Rules When Sharing Clinical Data
Depending upon the data being pulled, de-identification may not even be necessary, such as when you provide numbers related to the prevalence or incidence of disease.
If you are sharing data with other Health Insurance Portability and Accountability Act (HIPAA)-covered entities or those with whom you have a business associate agreement, a range of data can be shared comfortably. But if you are considering information exchange with a non-covered entity—such as a research center—or for quality reporting or analytics, then you have to go through the process of de-identification.
In ideal circumstances, any data in question leaving the practice is de-identified before it is out of your hands. There are 2 ways to do this. First, you can take a data set and remove 18 identifiers required under HIPAA. These include such identifiers as names, locale, and Social Security, telephone, and fax numbers. The information is taken from the medical record and placed into a spreadsheet ready for sharing. You can assign a code that enables you to re-identify the information, but it cannot be related to any identifiers in the data.
The second way to de-identify data is through external verification, whereby a third-party vendor with knowledge of making medical information unidentifiable provides certification that there is a low risk that patients could be recognized.
Cases in which you might want to use a professional for de-identification certification include:
- Patients with rare conditions. If only 5 people in the a state have a condition, that, along with other information, might be enough to identify him or her.
- Collaboration with a group of doctors amassing data to evaluate something like quality and then placing this information on the Web. Steven Waldren, MD, director of the alliance for e-health and innovation at the American Academy of Family Physicians, recommends going through a professional any time the data will be made public.
- When dealing with conditions like sexually transmitted diseases or other sensitive issues.
- Identifiable age cohorts. For instance, you might have a handful of patients over age 90 who could be re-identified when data like medical condition or region are included.
Depending upon the data being pulled, de-identification may not even be necessary, such as when you provide numbers related to the prevalence or incidence of disease. In these cases, there should be no identifiers to be removed.
You may have to look twice at data collection, for instance, that calls for information on a particular disease and when patients were seen, co-morbidities, and lab data. This will require some work to ensure anonymity.
A more challenging scenario might be if researchers need access to progress and office notes. There may be identifiers in this “unstructured” data that would have to be removed on top of everything else. For example, a patient's record might note that a patient's spouse may be causing stress or is noted as a caregiver.
An electronic medical record provider or staff who is helping with research or data collection should be available to help with the de-identification process. Waldren recommends a few measures to take when doing the process in-office.
First, figure out the minimum amount of data needed to accomplish your goal, and use only that. Review the list of 18 identifiers and ensure you have taken out things like photos and URLs. Finally, pull random data sets and peruse them to make sure they are compliant. Any unnecessary data should be removed.
“I wouldn't just say, ‘We've removed identifiers so we are good,” Waldren said. “As a doctor thinking about patient rights, and privacy, and safety and trust, I would do more than is required to fill the letter of the law.”
Following are the 18 pieces of information that must be removed to comply with the rule:
- Geographic information smaller than a state
- Any dates, except the year, that directly relate to a patient
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health Plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle information
- Device identifiers/serial numbers
- Web addresses
- IP address numbers
- Biometric identifiers
- Facial photographs
- Other identifying numbers unless permitted by HIPAA
US Department of Human Health Services and Office of Civil Rights. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Published November 6, 2015. Accessed August 1, 2016.