HIPAA
Privacy Rule and Research with De-identified Information
(Section 164.514)
The
Privacy
Rule does not cover de-identified information. De-identified
is generally defined under the Privacy Rule as information
(1) that does not identify the individual and (2) for
which there is no reasonable basis to believe the individual
can be identified from it.
The
Privacy Rule specifies two ways in which information can
be de-identified:
- A
person with appropriate expertise can render information
"not identifiable" if s/he can determine that
the risk is very small that the information could be
used alone or in combination with other reasonably available
information by an anticipated recipient to identify
the individual. AND, this same person must document
the methods and results of the analysis that justify
this determination.
- Alternatively,
the following identifiers of the individual and his/her
relatives, employers or household members must be removed
or coded:
(1)
Names
(2) All geographic subdivisions smaller than a State,
including: street, city, county, precinct, zip code
- the first three digits of the zip code can be
used if this geocode includes more than 20,000 people.
If such geocode is less than 20,000 persons, "000"
must be used as the zip code.
(3) All elements of dates (except year) related
to an individual, including birth date, admission
date, discharge date, date of death. For individuals
> 89 years of age, year of birth cannot be used
- all elements must be aggregated into a category
of 90 and older.
(4) Telephone numbers
(5) FAX numbers
(6) Electronic mail addresses
(7) SSN
(8) Medical record numbers
(9) Health plan beneficiary numbers
(10) Account numbers
(11) Certificate/license numbers
(12) Vehicle identifiers and serial numbers, including
license plates
(13) Device identifiers and serial numbers
(14) Web universal resource locators (URLs)
(15) Internet protocol (IP) address
(16) Biometric identifiers, including finger and
voice prints
(17) Full face photos, and comparable images
(18) Any unique identifying number, characteristic
or code and
There
is no actual knowledge that the information could be used
alone or in combination with other information to identify
the individual.
Note
that the Common
Rule (45 CFR 46) and the Privacy Rule differ in what
is considered identifiable information.
- The
Common Rule covers both directly and indirectly identifiable
information, (coded information is covered as indirectly
identifiable information)
- The
Privacy Rule covers only directly identifiable health
information (including the identifiers noted above).
The Privacy Rule does not cover coded information, but
it does cover the code itself.
Hence,
if identifiable information is separated from data through
the use of a code, then
- research
must still be submitted to the IRB since the data are
considered indirectly identifiable and thus subject
to the Common Rule;
-
the institution or researcher holding the code is additionally
subject to the Privacy Rule, since s/he has access to
the identifiers; but
-
anyone who does not have access to the code (e.g., outside
researchers) generally is not subject to the Privacy
Rule. Note that under the Common Rule, data can only
be considered anonymized through the permanent destruction
of a code or other link.
The
Partners Human Research Committee should receive all protocols
involving directly or indirectly identifiable information
for review under the Common Rule and Privacy Rule as appropriate.
If the protocol involves anonymized data, it also should
be submitted for a determination of exemption from the
Common Rule.
Please
see also the PHRC policy on limited
data sets - this is an alternative approach for the
use and disclosure of a subset of protected health information
for research, health care operations and public health
purposes. |