HIPAA: Safe Harbor Method In De-Identification Of Protected Health Information
According to the Health insurance Probability and Accountability Act (HIPAA) privacy rule, there are two methods for De-identification of Protected Health Information (PHI). Safe Harbor method is one of the De-identification methods. The HIPAA privacy rule set the limits to which extent we can use the PHI and disclosure of the same. The HIPAA Privacy Rule protects most “ individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral which is called Protected Health information (PHI). Protected health information is nothing but information about an individual's total physical and mental health condition and total payments done for or by him and the health care received by him.
The HIPAA Safe Harbor method is used to De-indentify protected health information. De-indentification is the process of removing specific information about an individual. That specific information can be used alone or in combination with other individuals' (family members, relatives, and employees) information to identify the individual. The specific requirements of the HIPAA Safe harbor De-indentification process is satisfied only if the remaining information (after removal of specific identifiers) about the individual could not be used to identify the individual. Once PHI is de-identified, then that particular individual information is no longer belongs to PHI, which means there will be no limits or restrictions on the usage or disclosure of the information. In short de-identified protected health information no longer can be used to identify the individual.
Accord ng to Safe Harbor guidelines, specific categories must be removed or managed properly for the information to be used or revealed. These specific categories of the individual or his relatives and family members can be used individually or in combination to identify the information.
The specific categories of the individual or his family members and relatives include:
Names, Dates, Geographic identifiers, Telephone numbers, vehical identifiers (license plate number) and serial numbers, Fax numbers, Device identifiers, and serial numbers, Email addresses, Web universal resource locators, Social security numbers, internet Protocol addresses, Medical record numbers, Biometric identifiers (finger and voice prints), Health plan beneficiary numbers, Full-face photographs and any related mages, Account numbers, Any other unique dentifying numbers, Certificate or license numbers, Records unique to the individual, Anything you are unsure of. The geographic unit formed by combining all ZiP codes with the same three initial digits contains more than 20,000 people. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people are changed to 000.
Once the above specific information is removed, the covered entity must have no actual knowledge that the remaining information can be used to identify the individual. Once the 'no actual knowledge' requirement is satisfied, then protected health information has been successfully de-identified using the safe harbor method.
According to Morrison (2017), 'The Safe Harbor method - More than just protect ng patients'. By using the Safe Harbor method you can obtain data sets that can be used while staying with HIPAA. By de-identifying individuals' information, we can keep patients safe.
There are so many reasons why an entity wants to de-identify certain PHI. Once information have been de-identified, the information no longer considered PHI and can be used for uses that are becoming increasingly popular. These uses include for research purposes, comparative studies. Once the information has been de-identified, the information is no longer belongs PHI, and can therefore be used in many other situations. For example, certain types of research or comparative studies could benefit from medical information. In addition, de-identified information can be shared, allowing for entities to collaborate in research efforts.
References
- Group, C. (2019, August 8). What is the HIPAA safe harbor provision? Compliancy Group. https://compliancy-group.com/what-is-the-hipaa-safe-harbor-provision/
- Methods for de-identification of PHI. (2015, November 6). HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/