Question: How can HIPAA-covered entities such as employer-sponsored group health plans and their business associates de-identify PHI to avoid HIPAA’s use and disclosure restrictions?

Short Answer: Covered entities and business associates generally must remove 18 specific identifiers for PHI to be de-identified and therefore no longer subject to HIPAA’s use and disclosure restrictions.

General Rule: Five Main Types of Information

There are five main types of health information in the HIPAA context:

• Protected Health Information (PHI; within the meaning of 45 CFR §160.103);

• De-Identified Health Information (not PHI; within the meaning of 45 CFR §164.514);

• Summary Health Information (reduced restriction form of PHI; within the meaning of 45 CFR §154.504(a));

• Limited Data Set (reduced restriction form of PHI; within the meaning of 45 CFR §164.514(e)).

• Employer Enrollment/Disenrollment Information (not PHI; within the meaning of 45 CFR §160.103)

Important Note: Plan sponsors of fully insured group health plans with access to de-identified health information, summary health information, and/or enrollment/disenrollment information still qualify for the fully insured plan exemption from the HIPAA documentation requirements.

• For more details, see our Newfront HIPAA Training for Employers Guide.

Standard PHI

PHI is individually identifiable health information maintained or transmitted by a covered entity or business associate.

The HIPAA privacy and security rules apply to the following Covered Entities:

• Health Plans- Employer-sponsored group health plans

• Health insurance carriers (including HMOs)

• Government health programs (Medicare, Medicaid, IHS, TRICARE, etc.)

• Health Care Clearinghouses

• Health Care Providers (transmitting health information electronically)- Doctors, nurses, hospitals, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.

Typical employer-sponsored group health plans subject to these HIPAA privacy and security rules include:

• Medical

• Dental

• Vision

• Health FSA

• HRA

• EAP

• Wellness Programs

Important Note: The exclusion of enrollment/disenrollment information from the definition of PHI subject to HIPAA protection significantly limits the scenarios where employers interact with PHI.  Enrollment/disenrollment information held by the covered entity in its role as employer is an employment record that is not PHI, provided it does not include any substantial clinical information. 

For more details, see our prior HIPAA Privacy posts:

• HIPAA Breach Notifications for Employers

• When is HIPAA Training Required?

• Disclosing PHI to Family Members Under HIPAA

• When is a HIPAA BAA Required?

• HIPAA Notice of Privacy Practices

• HIPAA Privacy and Private Workspaces

De-Identified PHI: Not PHI

De-identified information is not PHI subject to HIPAA’s restrictions.  To qualify as de-identified, there must be no reasonable basis to believe that the information can be used to identify the individual.

There are two ways to de-identify PHI:

• Expert Determination (uncommon); and

• Safe Harbor (common)

Under the expert determination method, a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable must use those skills to determine that the risk is very small the information could be used to identify an individual.  This includes the information alone or in combination with other reasonably available information.  The expert must also document the methods and result of the analysis to justify the determination.  This is an uncommon de-identification approach because of the difficulty in meeting the standards.

The safe harbor approach is much more common.  Under the safe harbor approach, 18 specific identifiers must be removed for the PHI to be de-identified, and therefore qualify as non-PHI:

• Names

• Geographic divisions smaller than a state:- Address, city, county, precinct, zip code, geocode

• Initial three digits of zip code may be include with restrictions

• All dates more precise than the year:- Date of birth/death, admission/discharge date, all ages over 89

• Phone numbers

• Fax numbers

• Email addresses

• SSNs

• Medical record numbers

• Health plan beneficiary numbers

• Account numbers

• Certificate/license numbers

• Vehicle identifiers and serial number (including license plate numbers)

• Device identifiers and serial numbers

• URLs

• IP address numbers

• Biometric identifiers:- Fingerprints, voice prints

• Full face pictures and anything comparable

• Any other unique identifying number, characteristic, or code

The covered entity also cannot have actual knowledge that the information could be used alone or in connection with other information to identify an individual who is a subject of the information.

• For more details on de-identification, see the HHS summary: Guidance Regarding Methods for De-Identification of Protected Health Information.

Summary Health Information: Reduced Restriction PHI

Summary health information” is information that summarizes the claims history, expenses, or types of claims by covered individuals under the plan—provided the entity disclosing the information has removed certain identifying information.

Summary health information follows the same de-identification process of removing 18 specific identifiers as described above under the safe harbor approach. However, the one difference is that while de-identified PHI can only refer to the initial three digits of a zip code (with restrictions), summary health information can include the five-digit zip code.

Summary health information is PHI, but with reduced HIPAA requirements on its use and disclosure than standard PHI.  Most commonly, summary health information is used in the context of underwriting activities.  HIPAA permits an employer’s group health plan (the covered entity) to disclose summary health information to the plan sponsor upon request for underwriting purposes and still qualify for the fully insured plan exemption from the HIPAA documentation requirements.

Limited Data Set: Reduced Restriction PHI

A covered entity may use or disclose a limited data set for the purposes of research, public health, or health care operations where there is a data use agreement in place with the recipient of the information.

The information that can be included in a limited data set is less restrictive than the standards for de-identified PHI or summary health information described above.

To qualify as a limited data set, the following 16 direct identifiers of the individual, relatives, employers or household members must be removed from the PHI:

• Names

• Postal address information (other than town or city, State, and zip code)

• Telephone numbers

• Fax numbers

• Email addresses

• SSNs

• Medical record numbers

• Health plan beneficiary numbers

• Account numbers

• Certificate/license numbers

• Vehicle identifiers and serial numbers (including license plate numbers)

• Device identifiers and serial numbers

• URLs

• IP addresses

• Biometric identifiers (including finger and voice prints)

• Full face photos (and any comparable images)

The data use agreement in place between the covered entity and the limited data set recipient must establish the permitted uses and disclosures, establish who is permitted to use or receive the data, include specified restrictions on the recipient, and provide for the discontinued disclosure and reporting to the Secretary of HHS upon certain violations or material breaches of the agreements that are not cured.

Employer Enrollment and Disenrollment Information: Not PHI

Employment records held by the plan sponsor in its role as employer are not PHI.  This exclusion from PHI applies to enrollment and disenrollment information held by the employer.  Such information is considered an employment record, rather than PHI held by the plan, as long as it does not include any substantial clinical information.

This major exclusion of enrollment and disenrollment information held by the employer from the definition of PHI significantly limits the scenarios where HIPAA’s use and disclosure restrictions will apply to information maintained by the employer plan sponsor.

• For more details on HIPAA privacy generally, see our Newfront HIPAA Training for Employers Guide.

Regulations

45 CFR §160.103 [PHI]:

Protected health information means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information:

(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

(iii) In employment records held by a covered entity in its role as employer; and

(iv) Regarding a person who has been deceased for more than 50 years.

45 CFR §164.514(b)(2) [De-Identified PHI]:

_(2)  _(i)   The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A)   Names;

(B)   All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1)   The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2)   The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C)   All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D)   Telephone numbers;

(E)   Fax numbers;

(F)   Electronic mail addresses;

(G)   Social security numbers;

(H)   Medical record numbers;

(I)   Health plan beneficiary numbers;

(J)   Account numbers;

(K)   Certificate/license numbers;

(L)   Vehicle identifiers and serial numbers, including license plate numbers;

(M)   Device identifiers and serial numbers;

(N)   Web Universal Resource Locators (URLs);

(O)   Internet Protocol (IP) address numbers;

(P)   Biometric identifiers, including finger and voice prints;

(Q)   Full face photographic images and any comparable images; and

(R)   Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

(ii)   The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

45 CFR §164.504(a) [Summary Health Information]:

Summary health information means information, that may be individually identifiable health information, and:

(1) That summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and

(2) From which the information described at §164.514(b)(2)(i) has been deleted, except that the geographic information described in §164.514(b)(2)(i)(B) need only be aggregated to the level of a five digit zip code.

45 CFR §164.504(f)(1):

(i)   Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under §164.508 , a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart.

(ii)   Except as prohibited by §164.502(a)(5)(i), the group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for purposes of:

(A)   Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or

(B)   Modifying, amending, or terminating the group health plan.

(iii)   The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

45 CFR §164.514(e)(2) [Limited Data Set]:

_(2)  _Implementation specification: Limited data set:A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

(i)   Names;

(ii)   Postal address information, other than town or city, State, and zip code;

(iii)   Telephone numbers;

(iv)   Fax numbers;

(v)   Electronic mail addresses;

(vi)   Social security numbers;

(vii)   Medical record numbers;

(viii)   Health plan beneficiary numbers;

(ix)   Account numbers;

(x)   Certificate/license numbers;

(xi)   Vehicle identifiers and serial numbers, including license plate numbers;

(xii)   Device identifiers and serial numbers;

(xiii)   Web Universal Resource Locators (URLs);

(xiv)   Internet Protocol (IP) address numbers;

(xv)   Biometric identifiers, including finger and voice prints; and

(xvi)   Full face photographic images and any comparable images.

45 CFR 164.530(k) [Documentation Exemption for Fully Insured Plan]:

(k)Standard: Group health plans.

_(1)_A group health plan is not subject to the standards or implementation specifications in paragraphs (a) through (f) and (i) of this section, to the extent that:

(i) The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and

(ii) The group health plan does not create or receive protected health information, except for:

(A) Summary health information as defined in 164.504(a) ; or

(B) Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

_(2)_A group health plan described in paragraph (k)(1) of this section is subject to the standard and implementation specification in paragraph (j) of this section only with respect to plan documents amended in accordance with 164.504(f) .

65 Fed. Reg. 82461, 82496 (Dec. 28, 2000) [Enrollment/Disenrollment Information]:

https://www.govinfo.gov/content/pkg/FR-2000-12-28/pdf/00-32678.pdf

The preamble to the Transactions Rule noted that plan sponsors of group health plans are not covered entities and, therefore, are not required to use the standards established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. For purposes of this rule, plan sponsors are not subject to the requirements of 164.504 regarding group health plans when conducting enrollment activities.

67 Fed. Reg. 53181, 53208 (Aug. 14, 2002) [Enrollment/Disenrollment Information]:

https://www.govinfo.gov/content/pkg/FR-2002-08-14/pdf/02-20554.pdf

While the standard enrollment and disenrollment transaction does not include any substantial clinical information, the information provided as part of the transaction may indicate whether or not tobacco use, substance abuse, or short, long-term, permanent, or total disability is relevant, when such information is available. However, the Department clarifies that, in disclosing or maintaining information about an individual’s enrollment in, or disenrollment from, a health insurer or HMO offered by the group health plan, the group health plan may not include medical information about the individual above and beyond that which is required or situationally required by the standard transaction and still qualify for the exceptions for enrollment and disenrollment information allowed under the Rule.