Medicare Compliance & Reimbursement

Reader Questions:

Recognize the 2 Standards for De-Identifying PHI

Question: We are having a debate in our practice over what actually constitutes protected health information (PHI) — and what de-identification means. One person even suggested that a URL for a website is considered PHI under HIPAA. Is that true?

Missouri Subscriber

Answer: Remember, that PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” reminds the HHS Office for Civil Rights (OCR) in its HIPAA Privacy Rule guidance.

Next, let’s address the de-identification of PHI. When data can no longer be used to identify an individual, it’s considered de-identified, OCR maintains. “De-identified health information neither identifies nor provides a reasonable basis to identify an individual,” and it’s often passed two major HIPAA hurdles, OCR says. In fact, Section 164.514 (b) of the HIPAA Privacy Rule offers two de-identification methods: expert determination and safe harbor.

Under the expert determination method, a “qualified statistician” verifies the data using statistical or scientific knowledge, ensuring all “specified identifiers” have been removed, including employer and family information. The covered entity (CE) then determines the material stripped of identifiable PHI.

There are 18 items that the HIPAA Privacy Rule pinpoints as PHI identifiers, and the safe harbor method simply removes that data so that “no actual residual information can identify the individual,” the provision states.

Here’s the list of 18 PHI identifiers to look for:

  1. Name
  2. Address
  3. Birthdate and other corresponding dates of admission, discharge, death, etc.
  4. Landline and cellphone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security Number
  8. Medical record number
  9. Health plan beneficiary number (i.e. Medicare Beneficiary Identifier)
  10. Account number
  11. State identification or license number
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP addresses
  16. Biometric identifiers like finger or voice prints
  17. Photo or image of patient, specifically the face
  18. Any other unique code, characteristic, image, or number that identifies the individual

So yes, your co-worker is correct — a URL for a webpage is considered PHI.

Reminder: If one of these 18 identifiers is included in a chat, email, social media post, text or direct message, or any other kind of communication, you are revealing “identifiable” information.

Resource: Review more details on this HIPAA provision and ideas on how best to safeguard PHI without losing data necessary for treatment at www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.