UAMS ADMINISTRATIVE GUIDE
|SUBJECT:||DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND LIMITED DATA SET INFORMATION|
To inform the UAMS workforce about the procedures for de-identification of Protected Health Information (PHI) and limited data sets.
Data Use Agreement means a written agreement between UAMS and a recipient of Limited Data Set information which establishes the permitted uses and disclosures of such information and certain administrative safeguards to protect the information. The standard UAMS Data Use Agreement is attached to the UAMS Research Policy, 3.1.27.
Disclosure means the release, transfer, provision of access to, or divulging of information in any manner (verbally or in writing) by UAMS to persons who are not UAMS employees or students, or to any other person or entity OUTSIDE of UAMS.
Healthcare Operations is defined by the HIPAA regulations under 45 C.F.R. § 164.501 and is incorporated herein by reference, and includes the following:
Limited Data Set means Protected Health Information that excludes the following information about the patient and about relatives, employers, or household members of the patient:
Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual. This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.
UAMS Workforce means for purposes of this Policy, physicians, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for UAMS, are under the direct control of UAMS, whether or not they are paid by UAMS.
UAMS may use Protected Health Information (PHI) to create De-Identified PHI. UAMS may disclose PHI to a Business Associate with whom UAMS has a Business Associate Agreement to create De-Identified PHI. De-Identified information may be disclosed to others, as long as the information is de-identified in accordance with this Policy and is in accordance with official and authorized UAMS business practices. UAMS will determine that PHI has been De-Identified in accordance with the Procedures set forth in this Policy and consistent with the HIPAA regulations. This Policy is not intended to address De-Identified information that may be subject to IRB regulations or other applicable laws or UAMS policies.
UAMS may determine that information about a patient has been “de-identified” so that the information is NOT individually identifiable health information, only if:
A person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information and documents the methods and results of the analysis that justify the determination; or
B. Geographic subdivisions smaller than a state
C. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of 90 or older;
D. Telephone and Fax numbers
E. E-Mail, IP, and URL addresses
F. Social Security Numbers
G. Medical Record Numbers
H. Health Plan Beneficiary Numbers
I. Account Numbers
J. Certificate/license Numbers
K. Vehicle Identifiers and Serial Numbers, including license plate numbers
L. Device Identifiers & Serial Numbers
M. Biometric Identifiers, including finger and voice prints
N. Full Face or other comparable photographic images
O. Any other unique identifying number, characteristic, or code
A. For the purposes of research; or
B. For the purposes of public health activities (not already allowed under HIPAA and the UAMS Use and Disclosure Policy), such as disease registries maintained by UAMS, private organizations, other universities, or other types of studies undertaken by the private sector or nonprofit organizations for public health purposes); or
C. For the purposes of UAMS Health Care Operations as defined in this Policy and under the HIPAA regulations.
UAMS Use and Disclosure of PHI and Medical Records Policy, 3.1.28
START HERE—DE IDENTIFICATION FLOW CHART (pdf format)
SIGNATURE: ________________________________ DATE: _________________________