We all learned about deidentifying clients in our grad school Ethics classes. It’s generally acceptable to discuss a client’s case with a colleague when we deidentify the client. HIPAA sees it the same way: deidentified information is not Protected Health Information, and is therefore not covered by HIPAA.
Fortunately, the HIPAA Privacy Rule has a safe harbor method for deidentifying information. Because it’s a safe harbor, you can consider any information about a client to be deidentified if you are able to remove all 18 of the identifiers on the list below. Take a look at it.
The Safe Harbor Method of Deidentification’s Identifiers List. Lifted Directly From the HIPAA Privacy Rule (45 CFR §164.514)
Except for my notes in italics, the following text is lifted directly from HIPAA’s Privacy Rule.
- Names
A client’s initials are considered to be identifying for the purposes of determining if a given piece of information is PHI under HIPAA, because they are derived from names. Even though most people couldn’t identify a client from just their initials, some people can. The same can be said of using only a client’s first names or last names. This doesn’t mean that using client initials instead of their full names isn’t helpful. It just isn’t deidentifying.
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
This is a tight restriction. Note that the street a client lives on is seen as identifying. Be thoughtful about where you keep any of the information about client addresses.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
Any kind of date you keep regarding a client is personally identifying. The exception is the year portion of a date, except when you’re talking about the birth dates of people 90 years or older.
- Telephone numbers
Remember that any text message you exchange with a client contains their phone number
- Fax numbers
- Electronic mail addresses (email addresses)
Remember that any email you exchange with a client contains their email address
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs) [web addresses]
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
Do you do play therapy? Do you ever have photos of children with their creations or photos the children take themselves that may include purposeful or inadvertent “selfies”?
- Any other unique identifying number, characteristic, or code, except as permitted by HIPAA
Conclusions
You can see that the list is extensive. For nearly all clinical practitioners, deidentifying client information is not a feasible way of keeping it secure in our practices. Even if we leave all identifiers out of emails and texts, for example, the email address or phone number attached to the message is seen as identifying the client who sent or received it.
This method of deidentification is primarily intended for people who wish to use health information in research or for marketing purposes, and who don’t need to know anything identifying about the people who received the health care.
It does have one very useful purpose for clinicians, however: it tells us what HIPAA considers to be identifying. So when we’re trying to get an idea of where we keep PHI in our practices, or how much PHI a third-party service may be handling on our behalf, this list can be a useful guide for determining what information we need to regard as identifying.
Hi Roy,
I would love to have you come speak to my Ethics Class @ Pfeiffer University in Morrisville, NC. I thought I read somewhere you are local to us, relatively?
Can we possibly discuss an arrangement for this? I am reviewing the Standards in the AAMFT Code of Ethics, & your expertise in these matters would give the Students confidence!
Please feel free to contact me so we can speak. My email is below & my cell is xxx-xxx-xxxx.
Kind regards,
Dr. Victoria Winstead, PhD, LMFT
Well, that’s very kind of you to ask. :) Actually, I’m in Portland, OR. So it could be tough. But you might be thinking of Rob Reinhardt (https://tameyourpractice.com/). He is in Fuquay-Varina.
Hi Roy, thank you for all the helpful info you put out to keep us up to speed! Just a couple clarifying questions – 1) When sending Release of Information forms, if clients just have their name, signature and date and give the contact info for the entity they want information shared with, does this document need to be submitted securely or can it technically be emailed without it being secure to that entity? I’m just wondering if the name is considered protected health information when it is not listed with any clinical information. I’m working at a site where clinicians have various opinions on how to handle this. 2) The government’s website with the HIPPA Privacy Rule is incredibly confusing – do you have any suggestions for navigating this primary source? :)
Hi Kelly,
A completed ROI form is very much definitely a bolus of protected health information. At the risk of being overly frank, it sounds like some training is needed at the site where you’re working.
I don’t really have advice about navigating the OCR website. It’s most useful when you already know when you’re looking for. Our membership services, of course, offer depthful and regular help with the issues covered on that site.
Great info Roy! I love how you have distilled this down into a very user-friendly guide.
I’d add that with regard to content, we get a really useful (if not directly applicable) standard from In Re Peshek (Sup. Ct. WI, 2011). This was a Wisconsin attorney discipline case. In it, the Wisconsin Supreme Court ruled that the attorney had violated client confidentiality by blogging about a client even though the attorney had changed client names and other easily identifiable information. The court said that the information was not sufficiently deidentified if the clients could recognize themselves in the information.
This is an interesting rule of thumb for content deidentificaion.
Oh, that is definitely a useful case! As you said, it may not apply WRT HIPAA covered entities. But I can easily imagine the same argument the judge agreed with there being agreed with in a decision regarding a privacy breach under HIPAA.
Hi Roy. Thank you so much for making such an intimidating and complicated concern more accessible and understandable.
One item I’m a bit confused about is No. 13: Device identifiers and serial numbers. Not sure what numbers or how they would be used?
I doubt you or I would find use or that. But imagine a cardiologist who gives a client a Holter Monitor. The serial number on their specific monitor would be a piece of personally identifying information.