The Health Insurance Portability and Accountability Act of 1996 (HIPAA) carried with it the expectation that compliance would be complete by April 14, 2003. The act includes provisions for Privacy and Security of personal health information as well as for electronic standards for communicating claims data and unique identifiers for health care providers and organizations. Most pertinent to JAMIA are the regulations regarding transmittal of personal patient information.
It is important to note that these guidelines apply principally to Protected Healthcare Information (PHI), defined as “a subset of individually identifiable health information (IIHI) that is maintained or transmitted in any form . . . and relates to the past, present, or future physical or mental condition of an individual; provision of health care to an individual, or payment for that health care; and identifies or could be used to identify the individual.”1 While protecting patient privacy is important, it is also imperative that health care researchers be able to present data to support claims. In order to comply with HIPAA, JAMIA requires that all authors “de-identify” patient information in their text, tables, and figures, by deleting (or replacing with permuted data) the following from any part of the manuscript that contains patient information:
Names
All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
All elements of dates (except year) for dates directly related to an individual, including birth date, dates of admission, discharge, tests or procedures, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements be aggregated into a single category of 90 or older.
Telephone and/or fax numbers
Electronic mail addresses
Social security numbers and/or medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plates
Device identifiers and serial numbers
Patient-related Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voiceprints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code
In addition, JAMIA authors must alter any identifying patient information, such as diagnostic indicators present in a patient problem list, when the combination of attributes might uniquely identify an individual.
Reference
- 1.Human Research Protections Program: HIPAA Information. University of California, San Diego. 4 March, 2003. <http://irb.ucsd.edu/hipaa.shtml>.