PARTNERS HUMAN RESEARCH COMMITTEE
116 Huntington Ave, Suite 1002. Boston, MA 02116
Tel: 617-424-4100, Fax: 617-424-4199

Partners_Logo

 

HIPAA Privacy Rule and Research with De-identified Information (Section 164.514)

The Privacy Rule does not cover de-identified information. De-identified is generally defined under the Privacy Rule as information (1) that does not identify the individual and (2) for which there is no reasonable basis to believe the individual can be identified from it.

The Privacy Rule specifies two ways in which information can be de-identified:

  1. A person with appropriate expertise can render information "not identifiable" if s/he can determine that the risk is very small that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual. AND, this same person must document the methods and results of the analysis that justify this determination.

  2. Alternatively, the following identifiers of the individual and his/her relatives, employers or household members must be removed or coded:

    (1) Names
    (2) All geographic subdivisions smaller than a State, including: street, city, county, precinct, zip code - the first three digits of the zip code can be used if this geocode includes more than 20,000 people. If such geocode is less than 20,000 persons, "000" must be used as the zip code.
    (3) All elements of dates (except year) related to an individual, including birth date, admission date, discharge date, date of death. For individuals > 89 years of age, year of birth cannot be used - all elements must be aggregated into a category of 90 and older.
    (4) Telephone numbers
    (5) FAX numbers
    (6) Electronic mail addresses
    (7) SSN
    (8) Medical record numbers
    (9) Health plan beneficiary numbers
    (10) Account numbers
    (11) Certificate/license numbers
    (12) Vehicle identifiers and serial numbers, including license plates
    (13) Device identifiers and serial numbers
    (14) Web universal resource locators (URLs)
    (15) Internet protocol (IP) address
    (16) Biometric identifiers, including finger and voice prints
    (17) Full face photos, and comparable images
    (18) Any unique identifying number, characteristic or code and

There is no actual knowledge that the information could be used alone or in combination with other information to identify the individual.

Note that the Common Rule (45 CFR 46) and the Privacy Rule differ in what is considered identifiable information.

  • The Common Rule covers both directly and indirectly identifiable information, (coded information is covered as indirectly identifiable information)
  • The Privacy Rule covers only directly identifiable health information (including the identifiers noted above). The Privacy Rule does not cover coded information, but it does cover the code itself.

Hence, if identifiable information is separated from data through the use of a code, then

  1. research must still be submitted to the IRB since the data are considered indirectly identifiable and thus subject to the Common Rule;
  2. the institution or researcher holding the code is additionally subject to the Privacy Rule, since s/he has access to the identifiers; but
  3. anyone who does not have access to the code (e.g., outside researchers) generally is not subject to the Privacy Rule. Note that under the Common Rule, data can only be considered anonymized through the permanent destruction of a code or other link.

The Partners Human Research Committee should receive all protocols involving directly or indirectly identifiable information for review under the Common Rule and Privacy Rule as appropriate. If the protocol involves anonymized data, it also should be submitted for a determination of exemption from the Common Rule.

Please see also the PHRC policy on limited data sets - this is an alternative approach for the use and disclosure of a subset of protected health information for research, health care operations and public health purposes.