De-Identification of PHI under HIPAA - Follow the Guidance to Avoid PenaltiesDecember 18, 2020 - CA US
Overview: Today health information needs to be shared more than ever, but how can that be done most easily within the limits of HIPAA? One way is to de-identify the information. Once PHI has been de-identified, it is no longer protected under HIPAA and may be shared freely without limitation. The problem is that it is not easy to truly de-identify information and if it is not done correctly, the sharing of the information may be considered a breach that requires reporting to HHS and the potential for penalties and corrective action plans. De-identification of Protected Health Information requires removing all eighteen of the listed identifiers, or anything else that might be used to identify the individual about whom the information exists. Or you can have an expert certify that the information is not identifiable. But neither of these is foolproof. You need to look more closely to be sure the data cannot be identified. You may wish to communicate with another provider, or with an agency that is not covered under HIPAA, using plain e-mail, but you want to strip out the name and use a code that both parties understand. Is that sufficient to allow the use of plain e-mail? You need to run though some examples and some tests to make sure before you go ahead.