Louisiana State University Health Sciences Center Administration & Finance
 
PRIVACY POLICY AND PROCEDURES Policy #:  2100.15
LSU Health Sciences Center New Orleans
Date Effective: April 14, 2003		 Table of Contents
purpleline

Patient Information Policy

De-identification of Protected Health Information

SCOPE:

All Louisiana State University (LSU) System health care facilities and providers including, but not limited to, hospitals, physician practices, clinics, schools, etc. on the LSU Health Sciences Center New Orleans Academic Campus.

Nota Bene: All LSU System Health care facilities and providers including, but not limited to hospitals, physician clinics, schools, etc. on the LSU Health Sciences Center New Orleans Academic Campus, are referred to in this policy as LSUHSC-NO.

PURPOSE:

To provide guidance to the health care facilities and providers affiliated with the LSUHSC-NO on the requirements of the Health Insurance Portability and Accountability Act, Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Regulations), to de-identify an individual’s Protected Health Information.

POLICY:

All LSUHSC-NO affiliated health care facilities and providers should comply with the applicable requirements of the HIPAA Privacy Regulations when de-identifying an individual’s Protected Health Information.

DEFINITIONS:

Protected Health Information (sometimes referred to as “PHI”) – for purposes of this policy means individually identifiable health information, that relates to the past, present or future health care services provided to an individual. Examples of Protected Health Information include medical and billing records of the patient.

Authorization – A written document completed and signed by the individual that allows use and disclosure of PHI for purposes other than treatment, payment or health care operations.

For the purposes of the definition "Designated Record Set":

  • The term "record" means any item, collection, or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for LSUHSC-NO.
  • The term "record" also includes patient information originated by another health care provider and used by LSUHSC-NO to make decisions about a patient.
  • The term "record" includes tracings, photographs, videotapes, digital and other images that may be recorded to document care of the patient.

Designated Record Set – a group of records maintained by or for LSUHSC-NO that is:

  • The medical records and billing records about individuals maintained by or for LSUHSC-NO; or
  • Any records used, in whole or part, by or for LSUHSC-NO to make decisions about individuals.
  • Any record that meets this definition of Designated Record Set and which are held by a HIPAA
  • Business Associate of LSUHSC-NO are part of LSUHSC-NO Designated Record Set.

Psychotherapy Notes – means notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual’s record. Psychotherapy notes does not include: medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Privacy Officer – Person designated by the facilities and clinics as the Privacy Officer.

PROCEDURE:

1.0 Definition of De-identification of PHI: health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
2.0 Uses and Disclosures of De-identified Information
2.1 When possible or practical, the facility will use and disclose de-identified information when conducting health care operations. The facility is not required to de-identify PHI for health care operations.
3.0 Creating De-identified Information and Re-identifying Information:
3.1 The facility may use PHI to create de-identified information or disclose PHI only to a business associate to create de-identified information for use by:
  • The facility;
  • A business associate; or
  • Another valid requestor.
3.2 If PHI Cannot Be De-Identified. The facility may not be able to remove identifiers from protected health information. If the facility cannot use or disclose PHI for a particular purpose, but believes that removing identifiers is excessively burdensome, it can choose:
  • Not to release the PHI;
  • Consider use of a Limited Data Set; or
  • Seek an authorization from the individual for the use and disclosure of PHI including some or all of the identifiers.
3.3 The facility may contract with a business associate to perform de-identification.
3.4 De-identification Methods. PHI may be de-identified only by using methods for de-identification approved by the U.S. Department of Health and Human Services. By using these methods, the facility may reasonably believe that health information is not individually identifiable health information.
 
3.4.1 Statistical Method – A person with appropriate knowledge and experience applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
  • Makes a determination that the risk is very small that the information could be used, either by itself or in combination with other reasonably available information, by anticipated recipients to identify a subject of the information; and
  • Documents the analysis and results that justify this determination.
3.4.2 Removal of All Identifiers Method – ‘Safe Harbor Method’– All of the following identifiers of the patient, relatives, employers, or household members of the patient, are removed:
  •  Names;
  • All geographic subdivisions smaller than a state: street address, city, county, precinct, ZIP code, and their equivalent geocodes. Exception for ZIP codes: The initial three digits of the ZIP Code may be used, if according to current publicly available data from the Bureau of the Census:
    • The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
    • The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to ‘000’.
      • (Note: The 17 currently restricted 3-digit ZIP codes to be replaced with ‘000’ include: 036, 059, 063, 102, 203, 556, 692, 790, 821, 823, 830, 831, 878, 879, 884, 890, and 893.)
  • All elements of dates (except year) for dates directly related to an individual including:
    • Birth date
    • Admission date
    • Discharge date
    • Date of death
    • And all ages over 89 and all elements of dates (including year) indicative of such age. Such ages and elements may be aggregated into a single category of age 90 or older.
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers; (including prescription numbers and clinical trial numbers)
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code; except a code used for re-identification purposes; and
  • The facility does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information.
3.5 Re-identification. The facility may wish to re-identify information previously de-identified, but is not required to do so. This re-identification may be accomplished through the use of a unique code, key or other means of record identification, provided that the following specifications are met:
  • Code Origin. The code, key or other means of record identification is not derived from or related to the PHI about the individual, and is not otherwise capable of being translated so as to identify the individual. In other words, the unique code, key or record identifier must not be such that someone other than the facility could use it to identify the individual (such as a derivative of the individual’s name or social security number.)
  • Code Security. The facility does not use or disclose the code, key or other record identifier for any other purpose, and does not disclose the mechanism for re-identification. The code, key or other record identifier must be kept confidential and secure.
3.6 If the facility uses specialized software to de-identify PHI or re-identify information, access by workforce members to the software will be governed by the appropriate facility policies and procedures on information security and privacy, including, but not limited to:
  • Access controls
  • Password management
  • Media controls
  • Physical safeguards
  • Confidentiality and privacy of PHI
4.0 Processing Requests for De-identified Information
4.1 Requests for de-identified information from the facility must be in writing and submitted to the facility Privacy Officer.
4.2 Written requests must include the following information:
  • Requestor information – Name, address, telephone numbers, title, organization or department.
  • Date of request.
  • Purpose of the request.
  • Record parameters or selection criteria – Time period included, minimum number of patient records, type of patient records (such as by inpatient, outpatient, diagnosis, procedure, drug use, or other criteria.)
  • Date the recipient requires the de-identified information.
  • A statement assuring the recipient will not give, sell, loan, show or disseminate the de-identified information to any other parties without the express written permission of the facility.
  • A statement assuring the recipient will not link the facility de-identified data to any other data the recipient may have access to, where the linked data identifies individual patients. For example, linking de-identified data from the facility with publicly available census data and the linking reveals the identity of individual patients.
  • A statement assuring the recipient will not contact any patient, or their relatives, employers, or other household members that may accidentally be identified by the recipient.
     

(See Attachment A – Request for De-identified Information for a form the facility may use for implementing this policy.)
4.3 The request for de-identified information must be reviewed, approved or denied by the appropriate facility personnel designated by the facility.
4.4 Requests for de-identified information may be denied if:
  • The facility cannot de-identify the PHI,
  • The requestor refuses to agree to required statements on the request form,
  • The recipient refuses to compensate the facility for generating the de-identified information, or
  • It is an imposition to the operations of the facility.
4.5 The LSUHSC-NO Privacy Officer shall approve requests for creating the de-identified information.
4.6 The designated facility personnel must use one of the approved methods for de-identifying PHI. The de-identified information must be accompanied by a statement certifying that either:
  • The risk is very small that the information could be used, either by itself or in combination with other reasonably available information, by anticipated recipients to identify a subject of the information; or
  • All identifiers of the patient, or relatives, employers, or household members of the patient, are removed, and
  • The facility does not have actual knowledge that the de-identified information could be used alone or in combination with other reasonably available information to identify an individual who is subject of the information.
4.7 The de-identified information will be delivered to the approved recipient upon approval of the Privacy Officer.
4.8 Fee Schedule
 
4.8.1 The requestor of de-identified information may be asked to compensate the facility for resource expenditures related to the request.
4.8.2 The facility may establish a fee schedule to compensate for the use of facilities, personnel time, supplies, software, hardware or other equipment for:
  • Reviewing requests for de-identified information (Application Fee).
  • Generating the de-identified information.
  • Re-identifying de-identified information.
  • Other specified activities related to the request for de-identified information.

REFERENCES:

45 C.F.R. § 164.514(a)(b) and (c)
Disclaimer © 2008 LSUHSC Privacy Policy