Section 3364-90-05 - De-identifiable and re-identifiable health information, limited data set and data use agreements(A) Policy statement The health insurance portability and accountability act of 1996 "HIPAA" permits disclosure of protected health information "PHI" that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual when removing identifiers from the data. A code may be assigned or other means of record identification to allow information de-identified to be re-identified. Limited data sets may be disclosed in accordance with a data use agreement for the purposes of approved research, education, public health or health care operations.
(B) Purpose of policy To assure that PHI is properly de-identified when used without patient authorization or re-identified as required in HIPAA, C.F.R. 164.514.
(C) Procedure (1) De-identification of protected health information. (a) Health information that does not identify an individual and with respect to which there is not reasonable basis to believe that the information can be used to identify an individual, is not considered individual identifiable health information.(b) De-identified records are not PHI and therefore are not protected by the privacy regulations. To the extent deidentified information can be used or disclosed in lieu of PHI, none of the complex requirements or the HIPAA laws apply.(c) Information can be de-identified by two methods: (i) Statistical approach Requires that a person with appropriate knowledge and experience of generally accepted statistical methods for rendering information not individually identifiable apply those methods or principles and determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information by an anticipated recipient to identify an individual who is the subject of the information. The expert must document the methods used and the results of the analysis.
(ii) Safe harbor approach (a) Requires that the following data elements identifying the individual (or relative, employers, or household members of the individual) be removed, provided the covered entity does not have actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual:(ii) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and equivalent codes. The first three digits of the zip code may be retained if certain conditions are met (i.e., the zip code area is not too sparsely populated).(iii) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety or older: (A) Telephone number (including cell numbers). (C) Electronic mail addresses.(D) Social security numbers.(E) Medical record numbers.(G) Health plan beneficiary numbers.(H) Certificate/license numbers. (i) Vehicle identifiers and serial numbers, including license plate numbers.(J) Device identifiers and serial numbers.(K) Web universal resource locators "URLs."(L) Internet protocol "IP" address numbers.(M) Biometric identifiers, including finger and voice prints.(N) Full face photographic images and any comparable images, and(O) Any unique identifying number, characteristic or code.(2) Re-identification Information may be re-identified, by a code or other means of record identification to allow information to be re-identified, provided that the code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated to identify the individual. The code may not be used or disclosed for any other purpose and must remain with the covered entity. The mechanism for re-identification may not be disclosed.
(3) Limited data set(a) The limited data set is protected health information that excludes the following direct identifiers of the individual, or of relatives, employers, or household members of the individual: Limited data requires that all of the following PHI identifiers be removed:
(ii) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, according to the current publicly available data from the bureau of the census.(iii) The initial three digits of a zip code for all such geographic units containing twenty thousand or fewer people is changed to 000.(iv) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over eighty-nine and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age ninety or older(v) Telephone numbers (including cell numbers).(vii) Electronic mail address.(viii) Social security number.(ix) Medical record number.(xi) Health plan beneficiary numbers.(xii) Certificate/license number.(xiii) Vehicle identifiers and serial numbers including license plate.(xiv) Device identifiers and serial numbers.(xv) Web universal resource locators "URL."(xvi) Internet protocol address numbers "IP."(xvii) Biometric identifiers including finger and voice prints.(xviii) Full face photographic images and any comparable images.(b) A covered entity may only use or disclose a limited date set for the purposes of research, public health, and healthcare operations. A covered entity may use PHI to create a limited data set that meets the requirements or disclose PHI only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity.(c) Unlike the list for de-identified information, the list of data elements to be excluded for the limited data set is an exhaustive list. The limited data set may retain more detailed geographic information (down to county, city/town, or precinct level and five digit zip codes) and dates (such as dates of admission and discharge, and dates of birth and death for the individual). A limited data set is PHI.(d) Data use agreement All recipients of limited data sets must enter into a data use agreement unless the recipient has entered into a business associate agreement. Disclosure of limited data must be done in conjunction with a data use agreement. There must be satisfactory assurances, in the form of a data use agreement, that the limited data set recipient will only use or disclose the protected health information for limited purposes. Data use agreements must be approved by the office of legal affairs. The university of Toledo institutional review board "IRB" must approve data use agreements for disclosure of PHI within the designated record set for research purposes. The data use agreement must:
(i) Establish permitted uses and disclosures of such information by the limited data set recipient.(ii) Establish who is permitted to use and receive the limited data set. Provide that the limited data set recipient will not further disclose or use the information other than what is permitted by the agreement, utilize appropriate safeguards, report to The university of Toledo privacy office any use or disclosure not provided for in the data use agreement, ensure any agents or subcontractors agree to the data use agreement and the recipient of the information not reidentify the information or contact individuals.Ohio Admin. Code 3364-90-05
Effective: 7/9/2018
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364