De-Indentified Information

The Privacy Rule does not apply to information that has been “de-identified,” so there is no reasonable basis to believe that the information could be used to identify an individual. To guide covered entities in creating de-identified information, the Privacy Rule provides a “safe harbor,” which is a procedure a covered entity may use to create information that is presumptively de-identified. To create de-identified information under the safe harbor, the covered entity must remove from the data the following 18 identifiers for the individual and his / her employer, relatives, and household members:

Even with all 18 identifiers removed, the covered entity may not treat the data as de-identified if it knows that the remaining data could be used, alone or in combination with other information, to identify an individual.

Note: This standard for “de-identification” is different from the standard commonly applied by UCAIHS and other IRBs under the Common Rule.