UAMS ADMINISTRATIVE GUIDE

NUMBER: 3.1.31
DATE: 04/01/03
REVISION: 9/17/2007

SECTION: ADMINISTRATION
AREA: GENERAL ADMINISTRATION
SUBJECT: DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND LIMITED DATA SET INFORMATION


PURPOSE

 

To inform the UAMS workforce about the procedures for de-identification of Protected Health Information (PHI) and limited data sets.

 

SCOPE

 

UAMS Workforce

 

DEFINITIONS

 

Data Use Agreement means a written agreement between UAMS and a recipient of Limited Data Set information which establishes the permitted uses and disclosures of such information and certain administrative safeguards to protect the information.  The standard UAMS Data Use Agreement is attached to the UAMS Research Policy, 3.1.27

De-Identified Protected Health Information is any information about a patient that does not identify the patient and with respect to which there is no reasonable basis to believe that the information can be used to identify the patient.  The patient identifiers must be removed, as explained below in the “Procedure” section of this Policy.

 

Disclosure means the release, transfer, provision of access to, or divulging of information in any manner (verbally or in writing) by UAMS to persons who are not UAMS employees or students, or to any other person or entity OUTSIDE of UAMS.

Healthcare Operations is defined by the HIPAA regulations under 45 C.F.R. § 164.501 and is incorporated herein by reference, and includes the following:

  1. Quality assessment and improvement, including outcomes evaluation and development of clinic guidelines; population-based activities relating to improving health, protocol development, case management and case coordination, contacting providers and patients with information about treatment alternatives; and related functions that do not include treatment.
  2. Accreditation, certification, licensing or credentialing activities, reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals.
  3. Conducting or arranging for medical review, legal services and auditing.
  4. Business planning and development related to managing and operating the entity.
  5. Business management and general administrative activities, such as fundraising and marketing of services to the extent permitted without authorization, disclosure of PHI in a due diligence review or to resolve internal grievances, and customer service.

Limited Data Set means Protected Health Information that excludes the following information about the patient and about relatives, employers, or household members of the patient:

 

  1. Names;
  2. Postal address information, other than town and city, state and zip code;
  3. Telephone numbers;
  4. Fax numbers;
  5. Electronic mail address;
  6. Social Security numbers;
  7. Medical Record numbers;
  8. Health Plan beneficiary numbers;
  9. Account numbers;
  10. Certificate/license numbers;
  11. Vehicle identifiers and serial numbers, including license plate numbers;
  12. Device identifiers and serial numbers;
  13. Web Universal Resource Locators (URLs);
  14. Internet Protocol (IP) address numbers;
  15. Biometric identifiers, including voice and finger prints; and
  16. Full face photographic images and any comparable images.

Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual.  This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.

 

UAMS Workforce means for purposes of this Policy, physicians, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for UAMS, are under the direct control of UAMS, whether or not they are paid by UAMS.


POLICY

 

UAMS may use Protected Health Information (PHI) to create De-Identified PHI.  UAMS may disclose PHI to a Business Associate with whom UAMS has a Business Associate Agreement to create De-Identified PHI.  De-Identified information may be disclosed to others, as long as the information is de-identified in accordance with this Policy and is in accordance with official and authorized UAMS business practices. UAMS will determine that PHI has been De-Identified in accordance with the Procedures set forth in this Policy and consistent with the HIPAA regulations.  This Policy is not intended to address De-Identified information that may be subject to IRB regulations or other applicable laws or UAMS policies.

     

    PROCEDURE

     

    UAMS may determine that information about a patient has been “de-identified” so that the information is NOT individually identifiable health information, only if:

    1. A person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information and documents the methods and results of the analysis that justify the determination; or

    2. The following identifiers of the patient and the patient's relatives, employers, or household members of the individual are removed:


      A. Names

      B. Geographic subdivisions smaller than a state

      C. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and     all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a     single category of 90 or older;

      D. Telephone and Fax numbers

      E. E-Mail, IP, and URL addresses

      F. Social Security Numbers

      G. Medical Record Numbers

      H. Health Plan Beneficiary Numbers

      I. Account Numbers

      J. Certificate/license Numbers

      K. Vehicle Identifiers and Serial Numbers, including license plate numbers

      L. Device Identifiers & Serial Numbers

      M. Biometric Identifiers, including finger and voice prints

      N. Full Face or other comparable photographic images

      O. Any other unique identifying number, characteristic, or code

    3. The first 3 digits of a zip code can be retained if publicly available data from the Bureau of the Census indicates that the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code of all such geographic units containing 20,000 or fewer people is changed to 000. The restricted three digit zip codes that must be changed to 000 are: 036, 059, 063, 102, 203, 556, 692, 790, 821, 823, 830, 831, 878, 879, 884, 890, 893, and future ZIP codes that may be added at a later date.

    4. After removing the identifiers, the information cannot be released if the UAMS employee has actual knowledge that the information used alone or in combination with other information could identify an individual. See attached flowsheet for additional guidance.

    5. Limited Data Set Information. Prior patient Authorization is not required for the use or disclosure of “Limited Data Set” information as defined in this Policy, as long as a Data Use Agreement is entered with the recipient of the information and the use or disclosure is for one of the following purposes:

      A. For the purposes of research; or
      B.
      For the purposes of public health activities (not already allowed under HIPAA and the UAMS Use and Disclosure Policy), such as disease registries maintained by UAMS, private organizations, other universities, or other types of studies undertaken by the private sector or nonprofit organizations for public health purposes); or
      C.
      For the purposes of UAMS Health Care Operations as defined in this Policy and under the HIPAA regulations.

                                                          

               UAMS Use and Disclosure of PHI and Medical Records Policy, 3.1.28

    START HERE—DE IDENTIFICATION FLOW CHART (pdf format)

     

    SIGNATURE: ________________________________  DATE: _________________________