Anonymize Your PHI With These Strategies

Managing your EHR data can sometimes feel all-consuming. Are you doing everything in your power to keep your data safe and secure?

According to the HIPAA Privacy Rule, restrictions only apply to individually identifiable protected health information (PHI). If you can de-identify PHI so the identities of individuals cannot be discovered, PHI can be freely shared. But the process you take to get there has to follow HIPAA guidelines.

PHI, PII - What’s the difference? 

While PHI is a familiar term in the medical industry, you’ll also hear PII, or personally identifiable information, referred to from time to time. They sound similar, and are often used synonymously. But there is a difference.

PII refers to any information that can be traced to a person's identity. PHI refers to information that contains identifiable health information.

PII is a broader term. All medical information can be both PII and PHI. Yet PHI is more of a subset of PII. For example, a phone number or a mailing address are considered PII. They can identify multiple people using the same information. PHI is narrower, and specifically identifies one individual. A Social Security Number will only represent one individual.

How to anonymize HIPAA information

The purpose of de-identification of PHI is to give HIPAA covered organizations the power to share health data for broader purposes. Offices may choose to submit data for policy assessments or medical research, but only if it can be done without breaching regulations.

HIPAA rules provide two ways of anonymizing HIPAA information: Safe Harbor and Expert Determination.

Safe Harbor deletes specific identifiers from the data set. It includes things like:

  • Geographic details lower than state level
  • Telephone contacts
  • Email
  • IP identifiers
  • Social Security information
  • Medical record details
  • Account numbers
  • License numbers
  • Vehicle identifiers
  • Website addresses
  • Any unique identifying numbers

Expert Determination is more personalized by nature. It comes when there is a small risk of an individual being identified. The covered entity or business associate must obtain an opinion from a qualified statistical expert showing the risk is minimal. This justification of the expert’s opinion must be recorded and retained. This expert must be shown to have a significant understanding of the area being questioned, having appropriate knowledge for rendering the opinion.

Is your data safe?

Choosing to anonymize data can be an important part of sharing your data with other organizations. Selecting which of the two methods to use is determined by the final outcome and how the process will occur.

While the process may seem straightforward, there is a high degree of underlying risk. Criminal behavior doesn’t care how they get into a database. Or what they have to do to re-identify data to make it usable once again. Studies have shown that identifying anonymized data has occurred. Where there is a will, there is a way.

The risk of re-identifying specific data may be a tradeoff for the benefits of the desired actions. However, understanding the risks before you move forward can help you create a stronger process before you begin. The ultimate question never changes: How well am I managing my EHR data?

For IT Strategy, Cloud Conversion, or Help Desk Services reach out to us at Silver Linings Technology 360-450-4759.