HIPAA Identifiers: Anonymizing Data
Protected Health Information (PHI) is considered "Restricted" according to the Stanford Data Classification Guidelines. Falling under the definition of PHI is any information that can be used to identify an individual, which personally relates to their past, present, or future health. This information must be encrypted by law, and must be stored only in encrypted form, and transmitted only through secure means. However, in the case of research data for publication, PHI can be anonymized such that it is no longer considered "protected", and can therefore be released without harm. You can anonymize such data by removing all 18 HIPAA identifiers:
- Names
- Geographic subdivisions smaller than a state (except the first three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000)
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death and all ages over 89 and all elements of dates (including year) indicative of such age (except that such ages and elements may be aggregated into a single category of age 90 or older)
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code (excluding a random identifier code for the subject that is not related to or derived from any existing identifier).
For more about HIPAA and Stanford's policies, visit the HIPAA home page: hipaa.stanford.edu.
Also helpful:
HIPAA Contacts Katherine Georger, Privacy Program Manager of the University Privacy Office, kgeorger@stanford.edu, 650-736-8659.
HIPAA Policies (http://hipaa.stanford.edu/policy.html) -- Outlines both privacy policies, (definitiions and outlines and rules about privacy and information use and disclosure), and security policies (networking security, disaster preparedness, facility security, and guidelines for handling PHI).