The Privacy Rule does not apply to information that has been “de-identified,” so there is no reasonable basis to believe that the information could be used to identify an individual. To guide covered entities in creating de-identified information, the Privacy Rule provides a “safe harbor,” which is a procedure a covered entity may use to create information that is presumptively de-identified. To create de-identified information under the safe harbor, the covered entity must remove from the data the following 18 identifiers for the individual and his / her employer, relatives, and household members:
- Address (street, city, county, precinct, zip code, initial 3 digits if geographic unit contains less than 20,000 people, or any other geographical codes)
- Telephone number
- Fax number
- Social Security numbers
- Medical record numbers
- Dates (except for years) connected to subjects, including birth date, admission date, discharge date, date of death, ages greater than 89 and all elements of dates indicative of such age (except that such page and elements may be aggregated into a category A, Age greater than 90)
- email addresses
- Health Plan Beneficiary numbers
- Account numbers
- Certificate / license numbers
- Vehicle identifiers and serial numbers (VINs, license plate numbers)
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric Identifiers (finger or voice prints)
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code.
Even with all 18 identifiers removed, the covered entity may not treat the data as de-identified if it knows that the remaining data could be used, alone or in combination with other information, to identify an individual.
Note: This standard for “de-identification” is different from the standard commonly applied by UCAIHS and other IRBs under the Common Rule.