As discussed in the previous posting, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), was enacted in 1996. It was created to assure that individuals’ health information is properly protected. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a “covered entity” or its “business associate”, in any form or media, whether electronic, paper, or oral.
However, there are no restrictions on the use or disclosure of “de-identified health information.” ii De-identified health information neither identifies nor provides a reasonable basis to identify an individual. One way to de-identify information is the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed to achieve de-identification:
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, etc.;
(C) All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met.
To be continued ….
Aaron E. Futterman, CPA, Esq. is a partner in the law firm of Futterman & Lanza, LLP with offices in Smithtown, NY and clients throughout Suffolk, Nassau, Queens, Brooklyn, Bronx, Richmond, New York, Westchester and Rockland Counties. He concentrates his practice to Elder Law, Medicaid Planning, Medicaid Applications, Estate Planning, Probate, Estate Taxes, and Estate Administration.