HIPAA’s Privacy Rule specifies that providers and clinics must protect their patients’ personal information and prevent unauthorized access to it.
The HIPAA Safe Harbor is meant to provide guidance to providers on how to apply the Privacy Rule by de-identifying personal information so it can be safely used as a health data set. Applying Safe Harbor methods removes personally-identifying information and leaves behind a set of health stats that can be used in public health work and other situations where patient statistics are useful.
By learning how to use the Safe Harbor method, you may help protect your patients’ information and also get useful data that may be safely discussed with others. As always, do your own research and seek out professional advice so you stay in full compliance with HIPAA and other privacy laws.¹
Removing personal information
Even after removing obvious personal information, such as names and contact information, plenty of information is still left that may be used to identify patients. Details that are particular enough to individuals and families that identities may be accidentally revealed may include patients’ employers, the city they live in, dates on their records, and other characteristics.
To be safe, HIPAA guidelines specify which identifying characteristics should be removed entirely before a set of data can be used and revealed.¹
Each of these categories must be appropriately removed or managed according to Safe Harbor guidelines:¹
- Names and unique numbers-You must remove all names, phone numbers, vehicle numbers such as license plate numbers or serial numbers, fax numbers, URLs, email addresses, social security numbers, device ID numbers, certificate numbers, Internet Protocol (IP) addresses, medical record numbers, health plan beneficiary numbers, account numbers or any other unique number.
- Dates-Dates that are directly related to the patient must be removed, such as birth or death dates, admission dates and discharge dates. The year itself can remain. Ages can be included in the data, unless the patient is over age 89. Patients over age 89 can be included in their own category as patients age 90 and older. In many situations, patients older than 89 can be identified simply by their age, so this special exception addresses that problem. In fact, any data indicating an age over 89 and providing enough clues to figure out the patient’s age should be removed from the data set, including years.
- Geographic identifiers-If the patient lives in a small town or rural area, has unique health characteristics, etc., then sometimes even a city or county name can be enough to reveal their identity. For this reason, locations should not be any more specific than the state level. Zip codes can sometimes be used, but special rules apply. Only the first three digits of the zip code can be included and only if all of the zip codes with that same first three digits have, together, more than 20,000 residents. If that particular group of zip codes together has fewer than 20,000 people, the three zip code digits may only be listed as “000.”
- Records unique to the patient-Photos of the patient that show the full-face or are similar to a a full-face photo, finger prints, voice prints and other biometric identifiers must be removed.
- Anything you are unsure about-If you think a particular piece of information may be enough to reveal a patient’s identity, you are better off removing it altogether.
- Any piece of information that can be used together with other information to reveal an individual’s identity.
Stay safe
Learn how to protect your patients using the Safe Harbor method and you will also obtain data sets you can use while staying in compliance with HIPAA. By using these strategies, you can help keep your clinic and your patients safe.
References
-
HHS.gov. “Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.” U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/#safeharborguidance. Accessed: March 2017