Part 2, Chapter 7: Manual Exhibit 2-7-F
Policy and Procedure for De-Identification of
Protected Health Information and Subsequent Re-Identification
- PURPOSE. To publish the Indian Health Service (IHS) policy and procedures for determining when health information is not individually identifiable or for the de-identification of protected health information (PHI), and for any subsequent re-identification.
- AUTHORITY. 45 Code of Federal Regulations (CFR) 164.514(a) - (c)
- POLICY. The IHS may determine when health information is not individually identifiable or when to de-identify PHI for disclosures other than healthcare purposes in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 CFR Parts 160 and 164. The IHS may also determine when it is necessary to re-identify previously de-identified PHI and must comply with the terms of this policy to adequately de-identify PHI and to ensure proper re-identification of PHI.
- De-identification. De-identification is the process by which PHI is rendered individually unidentifiable through the removal of such identifiers described in the “Procedures” section of this policy or through a determination based upon statistical and scientific methods.
- Re-identification. Re-identification is the process of assigning a code or other means of record identification in order to allow de-identified PHI to be retrieved/identified by the IHS but still maintaining the anonymity of the pateint(s) described in the “Procedures” section below.
- De-identification. The following procedures shall be used to de-identify PHI or to determine when health information is not individually identifiable.
- The determination of whether health information is individually identifiable or whether PHI may be de-identified will occur when there is no "need to know" the identity of the patient. This determination will be made on a case-by-case basis depending on the nature of the request. Examples may be situations related to research or a cancer registry where there is no “need to know” the identity of the patient.
- The IHS may determine that health information is not individually identifiable in the following two ways:
- If a Health Information Management professional or health care professional de-identifies patient records (including electronic records) containing PHI by removing the following identifiers of the patient or of the patient's relatives, employers, or household members:
- all elements of a street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code for areas that contain over 20,000 people;
- all elements of dates (except year) for dates directly related to the patient, (e.g., birth date, admission/discharge dates, date of death);
- all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- telephone numbers;
- fax numbers;
- e-mail address(es);
- social security numbers;
- medical record numbers;
- health plan beneficiary numbers;
- account numbers;
- certificate/license numbers;
- license plate numbers, vehicle identifiers, and serial numbers;
- device identifiers and serial numbers;
- Uniform Resource Locator (URL) address(es);
- Internet Protocol (IP) address numbers;
- biometric identifiers, including finger, and voice prints;
- full face photographic images and comparable images; and
- any other unique identifying number except as created by the IHS to re-identify the information.
This determination also requires that the IHS does NOT have actual knowledge that the remaining information could be used alone or in combination with other information to identify the patient.
- If a person with knowledge and experience of generally accepted statistical and scientific methods for rendering information not individually identifiable, designated by the Chief Executive Officer (CEO) or his or her designee (or through a business associates contract), applies such methods and determines that the risk is very small that the information could be used alone, or in combination with other available information, by an anticipated recipient of such information to identify the patient. This designated person with knowledge and experience of statistical and scientific methods must document the methods and results of the analysis that justify the determination.
- De-identification will be performed at the origin of the data, or, in the case of the determination made by the designated person named in 5A(2)a above, where such person is located, as appropriate.
- Hard copy PHI will be de-identified by obliterating (making unreadable and unrecognizable) the individual
indentifier(s). The original(s) should not be modified.
- Re-identification. The following procedures will be used to re-identify previously de-identified PHI:
- The IHS may assign a code or other means of record identification to allow de-identified information to be re-identified by the IHS, provided that;
- such code is not derived from or related to information about the patient (e.g., code is not derived from the patient’s name, social security number, medical record number, etc. as defined in 45 CFR 164.514(b));
- such code is not capable of being used to identify the patient;
- the IHS does not use or disclose the code for any other purpose; and
- the IHS does not disclose the mechanism for re-identification (tables, algorithms, etc.) that could be used to link the code with the patient.
- A re-identification code does not constitute a “unique, identifying number, characteristic, or code.”
Back To Top