How do you Anonymize PHI?

Healthcare groups and their business associates that want to collaborate on protected health information must do so in line with the HIPAA Privacy Rule, which restrict the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions are no longer relevant.

HIPAA Privacy Rule restrictions only is relevant for individually identifiable protected health information. If you de-identify PHI so that the identity of peoples cannot be determined, and re-identification of individuals is not possible, PHI can be freely sent between stakeholders.

The de-identification of protected health information enables HIPAA covered groups to share health data for large-scale medical research studies, policy assessments, comparative effectiveness reports, and other studies and assessments without breaching the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed.

De-identification of Protected Health Information for HIPAA

HIPAA-compliant de-identification of protected health information can be achieved using two methods: Safe Harbor and Expert Determination. Neither method of de-identification of protected health information will eradicate all risk of re-identification of patients, but both methods will lessen risk to a very low and acceptable level. Use either of the two methods here and PHI will no longer be thought of as ‘protected health information’ and will therefore not be subject to HIPAA Privacy Rule restrictions.

Safe Harbor – Deleting Specific Identifiers

The initial HIPAA compliant way to de-identify protected health information is to delete specific identifiers from the data set. The identifiable data that must be deleted are:

  • Names & identities
  • Geographic subdivisions that are lower that state level
  • All dates indicators (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age)
  • Telephone, cellphone, and fax details
  • Emails
  • Internet Protocol addresses
  • Social Security information
  • Medical record details
  • Health plan beneficiary data
  • Device identifiers and serial numbers
  • Certificate/license particulars
  • Account details
  • Car identifiers and serial numbers including license plates
  • Website addresses
  • Complete face photos and comparable images
  • Biometric identifiers such as finger and voice prints
  • Any specific identifying numbers, characteristics or codes

In the case of zip codes, covered groups are allowed to use the first three digits provided the geographic unit formed by joining those first three digits contains more than 20,000 people. When that geographical unit contains less than 20,000 individuals it should be altered to 000. According to the Bureau of the Census, that means 17 zip codes must have the first three digits changed to zero:

036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831

Covered groups must not that the above list of zip codes may change after future censuses. The list is formulated using 5-digit zip codes from the 2000 census.

For further details on de-identification of protected health information using the safe harbor method see 45 CFR § 164.514(b)(2).

Expert Determination Method

The expert determination method carries a small chance that an individual could be identified, although the chance is so low that it meets HIPAA Privacy Rule requirements.

This method of de-identification of protected health information requires a HIPAA covered body or business associate to obtain a consultation from a qualified statistical expert that the risk of re-identifying an individual from the data set is minimal. In such cases, the methods used to make that determination and justification of the expert’s opinion must be recorded and retained by the covered group or business associate and made available to regulators in the event of an audit or investigation.

The specialist must be a person with appropriate knowledge and experience of using generally accepted statistical and scientific principles and methods for deleting or altering information to ensure that it is no longer individually identifiable.

When those methods and principles are used, the specialist must determine that the risk of re-identification of an individual is very small. In such cases, the risk of re-identification must be very small when the information is used on its own, and must remain very small should the data be joined with other reasonably available information by an anticipated recipient to identify a person who is a subject of the information.

HIPAA does not classify the level of risk of re-identification specifically other than to say it should be ‘very small’. The expert should justify ‘very small’ in relation to the context of the data set, the specific environment, and the ability of an anticipated recipient to be able to re-identify people.

Specialists may come from a number of different fields and do not require any specific qualifications. What is crucial is that experts have experience of de-identifying data. It is that experience that regulators will review in the event of an audit, not specific qualifications or certifications.

PHI Anonymisation Steps

The steps to anonymize PHI are:

  1. Identify the data elements: Determine the specific PHI elements that need to be anonymized. This may include names, addresses, dates of birth, Social Security numbers, medical record numbers, or any other information that can directly identify an individual.
  2. De-identify or remove identifying information: Remove or modify the identified data elements to eliminate any direct identifiers. For example, replace names with unique identifiers, remove specific dates of birth and use age ranges instead, and truncate addresses to broader geographical information.
  3. Aggregate data: Combine or aggregate data to prevent the identification of individual patients. This involves grouping data together to create larger data sets that represent a larger population rather than individual cases.
  4. Generalize data: Generalize or round data values to reduce the risk of re-identification. For instance, if a patient’s age is 47, you could generalize it to a range of 40-49.
  5. Implement data suppression techniques: Remove or suppress any data points that can potentially lead to identification. For example, if there is a small number of individuals within a particular category, you might suppress that information to avoid re-identification.
  6. Maintain data quality and utility: Strive to maintain the usefulness of the anonymized data while ensuring privacy. The balance between data utility and privacy should be carefully considered to ensure that the anonymized data still serves its intended purpose.
  7. Validate the anonymization process: Conduct checks and validations to ensure the effectiveness of the anonymization techniques. This may involve assessing the risk of re-identification or consulting with experts in data privacy and security.
  8. Document the anonymization process: Keep detailed records of the steps taken to anonymize PHI. This documentation will provide transparency and accountability regarding the handling of sensitive data.

Remember that anonymization is not foolproof, and there is always a risk of re-identification. Stay updated on best practices and regulations related to data anonymization and consult with legal and privacy experts to ensure compliance with applicable laws and regulations, such as HIPAA, when anonymizing PHI.

Summary of Anonymizing PHI.

Anonymizing PHI is a crucial step in safeguarding patient privacy and complying with data protection regulations. By following the steps outlined above, organizations can effectively remove or modify identifiable elements from PHI, reducing the risk of re-identification while maintaining data utility. Anonymization helps to protect individuals’ sensitive information and ensures that aggregated data sets can be used for research, analysis, and other purposes without compromising patient confidentiality. However, it is important to note that anonymization is not foolproof, and organizations must stay informed about evolving best practices and legal requirements to continually improve their data anonymization processes. By adopting these practices and documenting the anonymization process, organizations can enhance privacy protection and contribute to the responsible use of healthcare data.

About Elizabeth Hernandez
Elizabeth Hernandez is a reporter for ComplianceHome. Elizabeth Hernandez is a journalist with a focus on IT compliance and security. She combines her knowledge in information technology and a keen interest in cybersecurity to report on issues related to IT regulations and digital security. Elizabeth's work often touches on topics like GDPR, HIPAA, and SOC 2, exploring how these regulations affect businesses and individuals. Elizabeth emphasizes the significance compliance regulations in digital security and privacy.