DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Similar documents
INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

RESPONDING TO PATIENT COMPLAINTS AND OTHER PRIVACY-RELATED COMPLAINTS

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

HIPAA COMPLIANCE APPLICATION

Professional Compliance Program Grievance Report

Commission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

The Queen s Medical Center HIPAA Training Packet for Researchers

The Impact of The HIPAA Privacy Rule on Research

The HIPAA privacy rule and long-term care : a quick guide for researchers

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

HIPAA Privacy Regulations Governing Research

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

HIPAA Policies and Procedures Manual

Guidelines for Requesting an Increase in Enrollment in a Predoctoral Dental Education Program

COMMISSION ON DENTAL ACCREDITATION GUIDELINES FOR PREPARING REQUESTS FOR TRANSFER OF SPONSORSHIP

Patient-Level Data. February 4, Webinar Series Goals. First Fridays Webinar Series: Medical Education Group (MEG)

New Study Submissions to the IRB

Guidelines for Requesting an Increase in Authorized Enrollment in Orthodontics and Dentofacial Orthopedics Residency and Fellowship Programs

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

COMMISSION ON DENTAL ACCREDITATION REPORTING PROGRAM CHANGES IN ACCREDITED PROGRAMS

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

COMMISSION ON DENTAL ACCREDITATION POLICY ON REPORTING AND APPROVAL OF SITES WHERE EDUCATIONAL ACTIVITY OCCURS

POLICY ON ENROLLMENT INCREASES IN ADVANCED DENTAL SPECIALTY PROGRAMS

Best practices in using secondary analysis as a method

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Guidance on De-identification of Protected Health Information September 4, 2012.

The HIPAA Privacy Rule and Research: An Overview

Matching Accuracy of Patient Tokens in De-Identified Health Data Sets

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

System-wide Policy: Use and Disclosure of Protected Health Information for Research

Access to Patient Information for Research Purposes: Demystifying the Process!

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

HIPAA PRIVACY TRAINING

CLINICIAN S GUIDE TO HIPAA PRIVACY

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

HIPAA Compliancy Group, LLC. 2017

Saint Joseph Mercy Health System Institutional Review Board

Mortality Data in Healthcare Analytics

De-identification and Clinical Trials Data: Oh the Possibilities!

Advanced HIPAA Communications and University Relations

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

Privacy Rule Overview

Encouraging the Use of, and Rethinking Protections for De-Identified (and Anonymized ) Health Data

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

HIPAA Privacy Training for Non-Clinical Workforce

Patient Privacy Requirements Beyond HIPAA

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Module: Research and HIPAA Privacy Protections ( )

HIPAA Privacy & Security Training

Roles & Responsibilities of Investigator & IRB

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

HIPAA Privacy & Security Training

HIPAA and HITECH: Privacy and Security of Protected Health Information

Proposed Regulations NEW YORK STATE DEPARTMENT OF HEALTH Return to Public Health Forum

FERPA 101. December 4, Michael Hawes Director of Student Privacy Policy U.S. Department of Education

A Study on Personal Health Information De-identification Status for Big Data

1303A West Campus Drive

******************************************************************** Policy Expectation:

HIPAA Privacy Rule. Best PHI Privacy Practices

Compliance Policy C-FMS Clinical Research Project Approval Application

HIPAA Privacy and Security Training for Researchers

GUIDELINES FOR PREPARATION OF REPORTS COMMISSION ON DENTAL ACCREDITATION (Response To Site Visit Reports and Progress Reports)

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

MCCP Online Orientation

HITECH Act. Overview and Estimated Timeline

GUIDELINES FOR PREPARATION OF REPORTS COMMISSION ON DENTAL ACCREDITATION (Response To Site Visit Reports and Progress Reports)

HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

HIPAA THE PRIVACY RULE

Kansas Department for Aging and Disability Services

Notice of Privacy Practices

Privacy Board Standard Operating Procedures

A Case Example: CHHS Data De-Identification Guidelines. Improving Public Health Data Dissemination through Policy and Tools

HCCA PRIVACY COMPLIANCE FOCUS GROUP

Medical Student Research Credentialing. Sheena Tsai, Class of 2018 CWRU School of Medicine

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

(Example: F011 AF AFMC A (Contractor Flight Operations))

2018 ABOS Part II Oral Examination

Compliance Program, Code of Conduct, and HIPAA

RESEARCH POLICY MANUAL

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

Connecting the Dots in Specialty Pharmacy Data

Signature (Patient or Legal Guardian): Date:

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

An Introduction to the HIPAA Privacy Rule. Prepared for

Recruiting subjects for clinical research outside the academic setting

PATIENT PRIVACY: RIGHT TO ACCESS PROTECTED HEALTH INFORMATION IN THE DESIGNATED RECORD SET POLICY

ETHICAL AND REGULATORY CONSIDERATIONS

Transcription:

PRIVACY 8.0 DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI) Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have direct or indirect access to patient protected health information (PHI) created, held or maintained by any subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities ). To provide a specific policy and procedures for the de-identification of PHI and the uses and disclosures of de-identified health information, in accordance with HIPAA. Definitions: Terms not defined in this Policy or the HIPAA Terms and Definitions maintained by the UHS Compliance Office will have the meaning as defined in any related State or Federal privacy law including the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ( HIPAA ) and regulations promulgated thereunder by the U.S. Department of Health and Human Services ( HHS ) at 45 CFR Part 160 and 164, Subparts A and E ( Privacy Regulations or Privacy Rule ) and Subparts A and C ( Security Regulations or Security Rule ), the Health Information Technology for Economic and Clinical Health Act ( HITECH ) privacy and security provisions of the American Recovery and Reinvestment Act (Stimulus Act) for Long Term Care, Public Law 111-5, the American Recovery and Reinvestment Act of 2009 ( ARRA ), Title XIII and related regulations. Policy: Facilities may use and disclose de-identified health information as long as the code or other means of identification designed to permit re-identification is not disclosed. Facilities may use PHI to create de-identified health information. Facilities may also disclose PHI to a business associate that will de-identify PHI on behalf of the Facilities. If de-identified health information is re-identified, its use and disclosure is subject to regulation under HIPAA. Procedure: De-Identifying PHI PHI can be de-identified by using one of the two methods listed below: 1. All of the following identifiers of the patient or of the relatives, employers, or household members of the patient are removed (and, in addition, the Facility must not have actual

knowledge that the remaining information could be used alone or in combination with other information to identify the individual): Names Geographic subdivision, such as street address, city, county, and zip code The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and, if it has fewer than 20,000 people, the zip code is changed to 000 (example, for the zip code 73069, all areas using the zip code beginning with 730 have more than 20,000 in the aggregate) All elements of dates (except year) for dates directly related to the patient, including birth date, admission date, discharge date, date of death; all ages over 89; and all elements of dates (including year) indicative of such age; Telephone numbers Fax Numbers E-mail addresses Social Security Numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers, serial numbers, license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including fingerprints and voiceprints Full face photographic images and other comparable images All other unique identifying numbers, characteristics, or codes 2. Alternatively, a biostatistician or other person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable must apply such principles and methods and determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify the individual who is the subject of the information. The person making this determination must be an independent third party and must provide written documentation of the methods and results of the analysis that justify a determination that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information. The documentation should be

filed with the original copies of the information in a secure location. If the information is in electronic form or consists of biological materials, the documentation should be filed in the Facility s files in a secure location. It is the responsibility of the Facility to assure that all identifiers are removed in accordance with the De-Identification Checklist (attached to this Policy as Exhibit A). Unless de-identifying material permanently for archival purposes, an un-redacted version of the information should be maintained at all times. Information on paper should therefore be copied BEFORE it is redacted, and ONLY THE COPIES should be redacted. Likewise, the original retained version of electronic information and information in other media should not be redacted in any permanent way. Uses and Disclosures to Create De-Identified PHI A Facility may use PHI to create information that is not individually identifiable health information or disclose PHI only to a business associate for such purpose, whether or not the deidentified information is to be used by the Facility. Re-Identification The Facility may assign a code or other means of record identification to allow de-identified health information to be re-identified, provided that: The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and The code and/or mechanism for re-identification is not used or disclosed for any other purpose. If de-identified health information is re-identified, such re-identified information is PHI and may be used or disclosed only as permitted or required by HIPAA and UHS and Facility policies. References: 45 C.F.R. 164.502(d) 45 C.F.R. 164.514(a)

Related UHS Privacy Policies UHS Privacy 24.0 Overview of the Uses and Disclosures of PHI Revision Dates: 10-12-2017; 11-16-2015; 07-22-2013 Implementation Date: 07-25-2011 Reviewed and Approved by: UHS Compliance Committee

Exhibit A: De-Identification Checklist 0 Names 0 All geographic subdivisions smaller than a State, including: street address city county precinct zip codes and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publiclyavailable data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. 0 All elements of dates (except year) for dates directly related to an individual including: birth date admission date discharge date date of death All ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older 0 Telephone numbers 0 Fax numbers 0 E-mail addresses 0 Social Security numbers 0 Medical record numbers 0 Health plan beneficiary numbers 0 Account numbers 0 Certificate/license numbers 0 Vehicle identifiers and serial numbers, including license plate numbers 0 Device identifiers and serial numbers 0 Web Universal Resource Locators (URLs) 0 Internet Protocol (IP) address numbers 0 Biometric identifiers, including finger and voice prints 0 Full face photographic images and any comparable images 0 Any other unique identifying numbers, characteristics, or codes, except a code or other means of record identification assigned solely to allow de-identified information to be re-identified (as long as the code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and the code and/or mechanism for re-identification is not used or disclosed for any other purpose.) I certify that the information I will use and/or disclose contains none of the above identifiers and that I have no actual knowledge that the information could, alone or in combination, be used to identify any individual subject of the information. Print Name Signature Date

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback