De-Identify Sensitive Patient Information—Before You Share!Use These 2 HIPAA-Approved Methods
The rise of electronic health records (EHR) has created significant challenges for providers that go beyond typical data storage and breach concerns. After all, providing patient care often requires sharing patient information—the privacy of which the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects.
Communication technology has changed significantly since the late 1990s—just think about how often you reach out to patients via email or text these days. And that means sharing data is riskier than ever, according to healthcare compliance expert Jim Sheldon-Dean. In his AudioEducator Virtual Boot Camp, he explains how and why you must de-identify patient information to share it and use it (say, in marketing efforts) safely and compliantly.
What is De-Identify?
De-identified data has been stripped down to the point that it can’t identify a specific patient. Such data is no longer a part of protected health information (PHI).
Examples of PHI—which is protected by HIPAA—are:
- Information of the patient’s past/present/future physical and mental health
- Provisions of health care to the patient
- Past/present/future payment for a patient’s healthcare.
HIPAA recognizes that some patient-related data may be helpful, to advance medical research for instance. Therefore, the law allows you to de-identify data so that PHI-related limitations don’t apply to its use. HIPAA offers two methods for de-identification:
- the “safe harbor” method and
- the “expert” method.
You will choose a method depending on your practice’s compliance expertise level and data-sharing needs.
Safe Harbor: The Checklist Method
The safe harbor method of de-identification is essentially a checklist that outlines 18 specific items you must remove from data. The safe harbor method consists of two main steps:
- Remove 18 specific patient identifiers, and
- Resolve “actual knowledge.”
The first step, as outlined by the Department of Health and Human Services (HHS), includes removing personal information such as:
- Names of patients and family members
- Telephone and fax numbers
- Email and physical addresses
- Identifying numbers, such as social security numbers, medical record numbers, etc.
- Vehicle identifiers and serial numbers
- IP addresses and web universal resource locators (URLs), and
- Biometric identifiers, such as fingerprints.
Warning: Be sure to check the exceptions on de-identifying specific information, such as zip codes for locations with populations below 20,000. Once this information has been removed, your practice will need to resolve “actual knowledge,” that is, confirm with the recipient of the data that it will not be able to re-identify the information.
Expert: The Framework Method
The second HIPAA-approved route to de-identification, the expert method, is a framework instead of a checklist. While this method is less straightforward, it allows you to leave the work in the hands of an expert who will determine: which information needs to be removed and how to remove it.
HIPAA does not define eligible experts to perform this work. You must use your discretion. The expert you’ve selected will be responsible for doing the following:
- Research which identifiers will need to be removed and which can be kept in the data sets. The expert should also provide rationale on each identifier’s inclusion/exclusion.
- Remove the agreed-upon identifiers.
- Test the de-identified data to make sure that the recipients will have no way of re-identifying the data.
Smart idea: You will likely wish to create and enforce a data use agreement with any recipients of your data. Although HIPAA does not require this, doing so will further protect sensitive information. At a minimum, you must guarantee in writing that the recipient will not share the data.
Note: The expert method is best used for one recipient only. If you plan to share the same data with different recipients, your expert must tailor the data accordingly for each party receiving the information.
Protect Data—and Your Practice
According to SecurityMetrics, the healthcare industry is less prepared to comply with HIPAA than patients think. Twenty-six percent of healthcare organizations the company surveyed in 2017 do not conduct formal risk analyses, and 16 percent send email containing unencrypted patient data, SecurityMetrics reported. Clearly, there are some HIPAA compliance gaps to fill.
Remember: Sharing data can lead to improved patient care and cost efficiencies, but you must follow HIPAA regulations. That’s why, Sheldon-Dean says, it’s so important your practice understands how to properly de-identify patient information.