We all learned about deidentifying clients in our grad school Ethics classes. It’s generally acceptable to discuss a client’s case with a colleague when we deidentify the client. HIPAA sees it the same way: deidentified information is not Protected Health Information, and is therefore not covered by HIPAA.
Fortunately, the HIPAA Privacy Rule has a safe harbor method for deidentifying information. Because it’s a safe harbor, you can consider any information about a client to be deidentified if you are able to remove all 18 of the identifiers on the list below. Take a look at it.
The Safe Harbor Method of Deidentification’s Identifiers List. Lifted Directly From the HIPAA Privacy Rule (45 CFR §164.514)
Except for my notes in italics, the following text is lifted directly from HIPAA’s Privacy Rule.
A client’s initials are considered to be identifying for the purposes of determining if a given piece of information is PHI under HIPAA, because they are derived from names. Even though most people couldn’t identify a client from just their initials, some people can. The same can be said of using only a client’s first names or last names. This doesn’t mean that using client initials instead of their full names isn’t helpful. It just isn’t deidentifying.
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
This is a tight restriction. Note that the street a client lives on is seen as identifying. Be thoughtful about where you keep any of the information about client addresses.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
Any kind of date you keep regarding a client is personally identifying. The exception is the year portion of a date, except when you’re talking about the birth dates of people 90 years or older.
- Telephone numbers
Remember that any text message you exchange with a client contains their phone number
- Fax numbers
- Electronic mail addresses (email addresses)
Remember that any email you exchange with a client contains their email address
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs) [web addresses]
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
Do you do play therapy? Do you ever have photos of children with their creations or photos the children take themselves that may include purposeful or inadvertent “selfies”?
- Any other unique identifying number, characteristic, or code, except as permitted by HIPAA
You can see that the list is extensive. For nearly all clinical practitioners, deidentifying client information is not a feasible way of keeping it secure in our practices. Even if we leave all identifiers out of emails and texts, for example, the email address or phone number attached to the message is seen as identifying the client who sent or received it.
This method of deidentification is primarily intended for people who wish to use health information in research or for marketing purposes, and who don’t need to know anything identifying about the people who received the health care.
It does have one very useful purpose for clinicians, however: it tells us what HIPAA considers to be identifying. So when we’re trying to get an idea of where we keep PHI in our practices, or how much PHI a third-party service may be handling on our behalf, this list can be a useful guide for determining what information we need to regard as identifying.