The Health Insurance Portability and Accountability Act (HIPAA) demands a clear de-identification policy from all health practitioners. Health records from hospitals tend to be collected and used for data collection and analysis. It is from these records that important data such the spread of a disease, immortality rates, and other crucial health statistics are obtained. Before the data is handed over to the bodies responsible for analyzing it, it is first de-identified. De-identification refers to the process of removing the personal information of a patient to ensure that the bodies that the data is handed over to do not have the ability to link information to a particular patient. For this to be possible, policies regarding the de-identification process have to be implemented.
Policy
Any type of information that points to one particular individual when used along with or when combined with other pieces of information is regarded as patient information. HIPAA privacy rules require that information provided to outside bodies should not have re-associate identifiers or patient identifiers. This makes the information pertinent to HIPAA terms and, therefore, can be disclosed to a third party without necessarily having to acquire authorization from the patient.
Delegate your assignment to our experts and they will do the rest.
Procedure :
Out of the two main de-identification procedures, the safe harbor procedure is considered the most efficient one. The safe harbor method works to remove identifiers such as the employer, relative information, and household member information of an individual. Mixing policies from the two processes bring forth an efficient outcome. The following information should be removed during the de-identification process:
All names of individuals.
Any geographic location such as the street address, country, city, precinct, and their geocodes. Locations bigger than a state may be left.
Dates such as the date of birth, death date, discharge and admission dates, dates indicative of age, and any other date that relates to a person directly.
Vehicle registration numbers of serial numbers.
Email addresses.
The social security numbers.
Bank account numbers and statements.
Beneficiary numbers of the health plan.
URLs that link to profiles of patients.
Photographs of patients of images that can be compared to them.
License numbers.
If the information provided to a third party has been fully de-identified and one is sure that no means can be used to re-identify the patient, then the patient cannot complain about his/her information being provided as the information does not contravene HIPAA privacy rules. However, if the information can be re-identified, it goes back to being protected health information (PHI) and is said to not comply with HIPAA’s privacy rules. PHI information is that which contains identifiers and can link a patient’s information to an individual.
Each health organization has complete responsibility for information about its patients. Regardless of the form, the organization is tasked with the responsibility of identifying whether or not the information provided to another entity or organization contains patient identifiers and whether or not the same information complies with HIPAA privacy rules. More attention must be paid to the free text fields in filled forms as the fields may contain personal information that may be easily overlooked.
