HIPAA Identifiers: Anonymizing Data

Protected Health Information (PHI) is considered "Restricted" according to the Stanford Data Classification Guidelines. Falling under the definition of PHI is any information that can be used to identify an individual, which personally relates to their past, present, or future health. This information must be encrypted by law, and must be stored only in encrypted form, and transmitted only through secure means. However, in the case of research data for publication, PHI can be anonymized such that it is no longer considered "protected", and can therefore be released without harm. You can anonymize such data by removing all 18 HIPAA identifiers:

  1.  Names
  2. Geographic subdivisions smaller than a state (except the first three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000)
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death and all ages over 89 and all elements of dates (including year) indicative of such age (except that such ages and elements may be aggregated into a single category of age 90 or older)
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code (excluding a random identifier code for the subject that is not related to or derived from any existing identifier).

For more about HIPAA and Stanford's policies, visit the HIPAA home page: hipaa.stanford.edu.

Also helpful:

HIPAA Contacts  (http://acp.stanford.edu/privacy/contact) -- who to ask about HIPAA and privacy: University Privacy Officer, School of Med Privacy (Todd Ferris), Hospitals and Vaden, and a description of the Health Care Components and their contact people.

HIPAA Policies (http://hipaa.stanford.edu/policy.html) -- Outlines both privacy policies, (definitiions and outlines and rules about privacy and information use and disclosure), and security policies (networking security, disaster preparedness, facility security, and guidelines for handling PHI).