How to Render PHI “Deidentified”

Q. I need to provide an insurance company a deidentified sampling of medical records from my practice for initial credentialing. What, precisely, defines a “deidentified” record?

A. Physicians may need to use deidentified records for various purposes, such as research, demographic and public health studies, or operational purposes like credentialing. Deidentified health information as defined by HIPAA is not protected health information (PHI) and thus is not covered by the HIPAA Privacy Rule.

To create a deidentified record according to HIPAA, you must remove all of the following information about a patient, as well as similar information about the patient’s relatives, employer, and household members:

  1. Name;
  2. Street address, city, county, precinct, and zip code, except for the initial three digits of the zip code if, according to the U.S. census, the area with the same three initial digits contains more than 20,000 people;
  3. All elements of dates (except year) directly related to any individual, including birth date, admission date, discharge date and date of death; 
  4. All ages over 89 and all elements of dates (including year) indicative of such age, except that can aggregate such ages and elements into a 90-or-older category;
  5. Telephone numbers;
  6. Fax numbers;
  7. Email addresses;
  8. Social Security number;
  9. Medical record number;
  10. Health plan beneficiary number;
  11. Account number;
  12. Certificate/license numbers;
  13. Vehicle identifiers and serial numbers including license plate numbers;
  14. Device identifiers and serial numbers;
  15. Web Universal Resource Locators (URLs);
  16. Internet protocol (IP) address numbers;
  17. Biometric identifiers, including finger and voice prints;
  18. Full-face photographic images and any comparable images; and
  19. Any other unique identifying number, characteristic, or code.

Physicians involved in research can learn more on the National Institutes for Health’s Information for Researchers webpage.

 

NOTICE: This information is provided as a commentary on legal issues and is not intended to provide advice on any specific legal matter. This information should NOT be considered legal advice and receipt of it does not create an attorney-client relationship. This is not a substitute for the advice of your own attorney. The Office of the General Counsel of the Texas Medical Association provides this information with the express understanding that (1) no attorney-client relationship exists, (2) neither TMA nor its attorneys are engaged in providing legal advice, and (3) the information is of a general character. Although TMA has attempted to present materials that are accurate and useful, some material may be outdated, and TMA shall not be liable to anyone for any inaccuracy, error, or omission, regardless of cause, or for any damages resulting therefrom. You should not rely on this information when dealing with personal legal matters; rather legal advice from retained legal counsel should be sought. Any legal forms are only provided for the use of physicians in consultation with their attorneys.

TMA Practice E-Tips main page  

Last Updated On

March 18, 2022

Originally Published On

January 22, 2013

Related Content

HIPAA | Medical Records