The College’s Advocacy Council encourages members to keep the council abreast of coverage and coding issues they experience with CMS and commercial payers. When transmitting data to the Advocacy Council, such as claim denial letters, covered entities who electronically transmit any health information in connection with transactions must comply with the Health Insurance Portability and Accountability Act (HIPAA) by de-identifying protected health information (PHI). Covered entities are defined as (1) health plans, (2) health care clearinghouses, and (3) health care providers. This article provides guidance on when and how to de-identify data.
The HIPAA Privacy Rule sets federal standards to protect the privacy of patients’ medical records and other information maintained by covered entities. These rules impose significant control over how PHI is used and disclosed. HIPAA violations have become more common in recent years and create potential financial liabilities for breach of confidentiality of PHI.
To ensure patient privacy, HIPAA requires covered entities to de-identify PHI before sending data to the Advocacy Council. One HIPAA-compliant method to de-identify data is to remove certain identifiers so individuals’ identities cannot be ascertained and re-identification of individuals cannot occur. When the identifiers have been removed, the data is no longer considered PHI under the HIPAA Privacy Rule and can be freely shared. The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed from a record in order for data to be considered de-identified:
- All geographic subdivisions smaller than a State (e.g., street address, city, county, precinct, zip code)
- Electronic mail addresses, web URLs, and Internet Protocol (IP) address numbers
- All elements of dates (except year) for dates directly related to an individual (i.e., birth date, admission date, discharge date, date of death)
- All ages over 89 and all elements of dates indicative of such age (including year)
- Telephone or fax numbers
- Social security numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers (e.g., license plate numbers)
- Medical record or account numbers
- Health plan beneficiary numbers
- Device identifiers and serial numbers
- Biometric identifiers (e.g., finger and voice prints) and full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Protecting an individual’s PHI from unauthorized use and disclosure is required under federal and state law, and violation of these rules is enforceable by corrective measures or by potential fines. Therefore, we strongly urge members to make sure they have properly de-identified PHI before sending claims or other data related to a particular patient to the Advocacy Council.
The Advocacy Council – we have you covered!