What does it mean to Deidentify PHI?

(a) Standard: de-identification of protected health information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

Are there 3 Acceptable methods for de-identification?

Vehicle identifiers and serial numbers including license plates. Website URLs. Full face photos and comparable images. Biometric identifiers (including finger and voice prints)

What are the two methods of de-identification under HIPAA?

The OCR Guidance provides two methods for covered entities to de-identify PHI: the expert determination method and the safe harbor method.

When can a covered entity De-identify PHI?

See 45 C.F.R. § 164.504(e). The process of de-identifying PHI constitutes a use of PHI. Thus, a HIO may only de-identify PHI it has on behalf of a covered entity to the extent that the business associate agreement authorizes the HIO to do so.

What are the ways of de-identification?

Personal identifiers can be provided to a de-identification system in four different ways: report-specific identifiers, cohort-specific identifiers, repository-wide identifiers, or a combination of the above.

What is considered de-identified?

When health information does not identify an individual, and there is no reasonable basis to believe that it can be used to identify an individual, it is “de-identified” and is not considered to be PHI.

How do you Deidentify a report?

Remove identifiers

  1. Names.
  2. Geographic subdivisions smaller than state—except for the first 3 digits of zip codes, given.
  3. Dates directly related to the individual (e.g., birthday, death date, or admission date)
  4. Telephone numbers.
  5. Fax numbers.
  6. Email addresses.
  7. Social security numbers.
  8. Medical record numbers.

What is the de-identification process?

De-identification is a process of detecting identifiers (e.g., personal names and social security numbers) that directly or indirectly point to a person (or entity) and deleting those identifiers from the data.

Who can de identify PHI?

The safe harbor method under the HIPAA Privacy Rule de-identification standard requires covered entities or business associates to remove all 18 identifiers of PHI from data in order to ensure that the data cannot be traced back to one person.

What is de-identification in healthcare?

What is De-Identified Data in Healthcare? The process of de-identification removes all direct identifiers from patient data and allows organizations to share it without the potential of violating HIPAA. Direct identifiers can include a patient’s name, address, medical record information, etc.

Who can formally determine whether a health information has been de-identified?

The first requires a formal determination by a qualified subject matter expert, while the latter requires the removal of 18 specified identifiers of PHI. De-identified health data is often the backbone of clinical research and can facilitate scientific findings while protecting patient privacy.

What method is used to remove all identifiable information from PHI?

De-identify data with the Safe Harbor method. The Safe Harbor method relies on two primary steps: Remove identifiers. Without identifiers, you take the “P” out of “PHI.” The Office for Civil Rights (OCR) organized a workshop to create a concrete checklist of 18 identifiers.