Is De Identified Data Considered PHI?

by | Last updated on January 24, 2024

, , , ,

The HIPAA Privacy Rule states that once data has been de-identified, covered entities can use or disclose it without any limitation.

The information is no longer considered PHI

, and does not fall under the same regulations and restrictions as PHI.

Contents hide
1 Is de-identified data covered by HIPAA?
2 Is de-identified data confidential?
3 What is considered de-identified data?
4 What is de-identified data HIPAA?
5 Is patient name alone considered PHI?
6 Do you need a BAA for de-identified data?
7 Is Data masking the same as Anonymization?
8 What is the difference between a limited data set and de-identified data?
9 Is coded data de-identified?
10 What is de-identified data used for?
11 How do I identify de-identified data?
12 What are some examples of PHI?
13 When a patient wants a copy of their PHI?
14 Can I share de-identified data?
15 Is name and address considered PHI?

Is de-identified data covered by HIPAA?

HIPAA Privacy Rule

restrictions only covers individually identifiable protected health information

. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared.

Is de-identified data confidential?

Data is considered de-identified

under the Privacy Rule when a number of specified data elements are removed

. (45 C.F.R. §§ 164.502(d)(2), 164.514(a) and (b).) De-identified data is not regulated by HIPAA and may be shared without restriction.

What is considered de-identified data?

De-identified patient data is

health information from a medical record that has been stripped of all “direct identifiers”

—that is, all information that can be used to identify the patient from whose medical record the health information was derived.

What is de-identified data HIPAA?

HIPAA safe harbor de-identification is

the process of the removal of specified identifiers of the patient, and of the patient’s relatives, household members, and employers

. … By definition, de-identified health information neither identifies nor provides a reasonable basis to identify a patient.

Is patient name alone considered PHI?

Pursuant to 45 CFR 160.103, PHI is

considered individually identifiable health information

. A strict interpretation and an “on-the-face-of-it” reading would classify the patient name alone as PHI if it is in any way associated with the hospital.

Do you need a BAA for de-identified data?

Access to tokenized or otherwise de-identified health information

does not require a BAA

. There is no certification for HIPAA compliance.

Is Data masking the same as Anonymization?

Data Masking vs Anonymization

Data masking adds another layer of security to data anonymization by masking certain pieces of data and only showing the most relevant pieces of data to data handlers who are explicitly authorized to see those specific pieces of relevant data.

What is the difference between a limited data set and de-identified data?

DATA ELEMENT DE-IDENTIFIED DATA SET LIMITED DATA SET Any other unique identifying number, characteristic or code. Remove May Include

Is coded data de-identified?

Coded refers to data that no one outside a study team can link to a subject’s identity. De-identified refers to

data that used to be fully identifiable or coded

, until the researcher destroyed all of the identifiers linking the data to study subjects.

What is de-identified data used for?

De-identification is a

tool that organizations can use to remove personal information from data that they collect, use, archive, and share with other organizations

.

How do I identify de-identified data?

Scrubbed data is commonly re-identified by

combining two or more sets of data to find the same user in both

. This combined information often reveals directly identifying information about an individual.

What are some examples of PHI?

  • Patient names.
  • Addresses — In particular, anything more specific than state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes.
  • Dates — Including birth, discharge, admittance, and death dates.
  • Telephone and fax numbers.
  • Email addresses.

When a patient wants a copy of their PHI?

When a patient requests to inspect or obtain a copy of their PHI, you must comply in a timely manner. First, inform the patient you accepted the request and then provide the access

no later than 30 days after receiving the request

.

Can I share de-identified data?

Sharing Deidentified Data and Biospecimens

Data/specimens that have been deidentified would not be considered human subjects research and may be used or shared under the HIPAA Privacy Rule. … If the 18 identifiers are removed after data collection, then the data/specimens have been anonymized or deidentified.

Is name and address considered PHI?

Examples of PHI include: Name. Address (including subdivisions smaller than state such as street address, city, county, or zip code) Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of

individuals older than 89

.

James Park
Author
James Park
Dr. James Park is a medical doctor and health expert with a focus on disease prevention and wellness. He has written several publications on nutrition and fitness, and has been featured in various health magazines. Dr. Park's evidence-based approach to health will help you make informed decisions about your well-being.