Sometimes an individual's health information and data are important for comparative effectiveness studies, research, policy assessments, and other uses. However, the HIPAA Privacy Rule prohibits the use of PHI without authorization by the individual. Therefore, the health information must be de-identified before it is used. De-identified patient information is no longer considered PHI. To become de-identified, all identifiers of the individual or relatives, employers, or household members of the individual must be removed. This includes6:
- Names
- Geographic subdivisions smaller than a state
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all specific ages over 89 (it is acceptable to aggregate into a single category of "age 90 or older")
- Telephone and fax numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Email and web addresses (URLs)
- Social security numbers
- Medical record numbers
- Biometric identifiers, including finger and voice prints
- Health plan beneficiary numbers
- Full-face photographs and comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code (unless it is a code issued by the health care facility to re-identify information that was de-identified for a specific purpose)
- Certificate/license numbers
Note: Health information continues to be protected, even when the individual is deceased. The HIPAA Privacy Rule continues to protect individually identifiable health information about a decedent for 50 years following the date of death.7
