What is protected health information subject to the HIPAA privacy rules?
It’s something as simple as a complete date, such as Jan. 1, 2009, the HHS Office of Civil Rights (OCR) says in new guidance on HIPAA compliance. The “day, month, and any other information that is more specific than the year of an event,” the guidance states. However, January 1, 2009, for example, could be reported in a de-identified data set as “2009”.
Concealment of a patient’s age in medical records is even more complicated. “Ages that are explicitly stated, or implied, as over 89 years old must be recorded as 90 or above,” the new guidance states. “If the patient’s year of birth is 1910 and the year of healthcare service is reported as 2010, then . . . the year of birth should be reported as `on or before 1920.’ Otherwise, a recipient of the data set would learn that the age of the patient is approximately 100.”
On the other hand, it isn’t necessary to suppress all personal names in records, such as those of physicians. Only names of individuals who are the subjects of the health records in question and of their relatives, employers, and household members must be suppressed, the guidance states. However, the provider would need to consider whether additional personal names contained in the data should be suppressed because of other laws or confidentiality concerns, OCR cautions.
One such concern is “'actual knowledge’ that the remaining information could be used either alone or in combination with other information to identify an individual who is a subject of the information,” the guidance notes. To illustrate “actual knowledge,” the guidance offers the hypothetical example of a patient listed in a record as “former president of the State University.” In combination with almost any additional data – like age or state of residence – this information “would clearly lead to an identification of the patient,” OCR says.