AIS Audioconferences - Reconciling Part D Enrollment Data: Strategies to Avoid Becoming an Enforcement Target; Wall Street’s 2009 Outlook for Health Plans: Prognosis for the Industry and Individual Plans

AIS Compliance Health Reform Pharmacy Benefit Consumer-Directed Care Compliance Market Data Health Plans
 HOME
 New on the Site
Customer Service
Sample Newsletters MarketPlace
AIS Products & Services

E-Savings Club weekly specials

Free E-Mail Newsletters
Health Business Daily
Government News
Sign Up for Free E-Mail Newsletters

Health Business Job Openings

Health Business Meetings

People on the Move
 
Health Plans
General Business Issues
Product News
Company Intelligence
Disease Management
Blue Cross and Blue Shield
Medicare Advantage
Managed Medicaid
Health Plan Products
 
Compliance
Compliance Strategies
HIPAA Resource Center
Government Resources
Compliance Products
 
Pharmacy Benefit
Pharmacy Benefit Mgmt.
Specialty Pharmacy
Drug Mgmt. Products
 
Consumer-Directed Care
Articles on CDH
CDH Data
CDH Products
 
Market Data
Health Plan Enrollment
Pharmacy Benefit Mgmt.
Data Products
 
Health Reform
Obama Administration
Federal Legislation
State Legislation
State Results
Association Positions
Research Organizations
 
MarketPlace
Newsletters
Web Services & Looseleaf Guides
Books & Reports, Directories & Databases
Live Meetings & Audioconferences
Alphabetical Listing
 

Health Care Links
 

 
Visit AISEducation.com for more news and strategic information for today's business leaders

 

AIS Side-by-Side Comparison of March 27 Proposed Modifications to Existing
HIPAA Regulatory Language

De-Identification of PHI

HHS Fact Sheet

Request for Comments on an Alternative Approach to De-Identification -- The department received comments from the research community on the need for an alternative approach to de-identification. HHS shares these concerns but still believes identifiable information should have strong protections. Therefore, HHS is seeking comments on establishing a limited data set that does not include directly identifiable information but in which certain identifiers remain. In addition, to further protect privacy, the department proposes to condition the disclosure of the limited data set on a covered entity's obtaining from the recipient a data use or similar agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given, as well as not to re-identify the information or use it to contact any individual.

The proposal also makes a technical correction to the rule to eliminate confusion regarding the re-identifying code that a covered entity is allowed to assign. The proposal clarifies that this code does not have to be removed.

Preamble Discussion:
67 Federal Register, pp. 14798, 14800

AIS Regulatory Comparison

Provisions affected:
§164.514(b)(2)

How to Read the Table

Proposed changes from the March 27, 2002 Federal Register are in the left column
Existing language, from the December 28, 2000 final rule, is in the right column. The legend for changes is as follows:

Legend
Bold underlined text = proposed revision.
Red text (or within a clause red text with strikethrough) = language proposed for deletion or revision.
[Bracketed text] = editor's note to change.
Regular text = Unchanged existing language

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

Proposed Revisions, Federal Register, 3/27/2002

Existing Language, Final Rule, 12/28/2000

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:

 [no changes to list except for revision to (R), which clarifies that the re-identification code is not included in the list of identifiers that must be removed]

(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:

(2)(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code except as permitted by paragraph (c) of this section; and

(R) Any other unique identifying number, characteristic, or code;
 

(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

[No changes proposed to (c).]

(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

(1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

(2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

[See AIS Side-by-Side, “Minimum Necessary” and “Marketing,” for changes to remainder of section.]

 

Back to the Proposed Modifications
To HIPAA Privacy Rule Page

 

Advertise With AIS

Privacy

Site Map



Copyright © 2009 by Atlantic Information Services, Inc. All rights reserved.
1100 17th Street, NW, Suite 300, Washington, DC 20036
Phone 202-775-9008 or 800-521-4323; E-mail customerserv@aispub.com