Q. I need to provide an insurance company a deidentified sampling of medical records from my practice for initial credentialing. What, precisely, defines a “deidentified” record?
A. Physicians may need to use deidentified records for various purposes, such as research, demographic and public health studies, or operational purposes like credentialing. Deidentified health information as defined by HIPAA is not protected health information (PHI) and thus is not covered by the HIPAA Privacy Rule.
To create a deidentified record according to HIPAA, you must remove all of the following information about a patient, as well as similar information about the patient’s relatives, employer, and household members:
- Street address, city, county, precinct, and ZIP Code;
- Dates directly related to any individual, including birth date, admission date, discharge date, date of death;
- Telephone numbers;
- Fax numbers;
- Email addresses;
- Social Security number;
- Medical record number;
- Health plan beneficiary number;
- Account number;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full-face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code.
Physicians involved in research can learn more on the National Institutes for Health’s Information for Researchers webpage.
Published Jan. 22, 2013
TMA Practice E-Tips main page