UW Directories | Calendar | Map | MyUW
UW logo
Skip to Main
Human Subjects Division (HSD)

Topics

De-Identified Information

As defined by HIPAA, health information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual.  Information is considered de-identified if 18 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject of the information.  The identifiers include the following:

  1. Names
  2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses (email)
  7. Social Security numbers
  8. Medical records numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locator (URL)
  15. Biometric identifiers, including finger or voice prints
  16. Full face photographic images and any comparable images
  17. Internet Protocol (IP) address numbers
  18. Any other unique identifying number, characteristic or code

Change Notes

  • Noted 09/23/2010 @ 09:01am
    Keyword newly added.
    - sherrye

Related Questions And Answers

  • What is HIPAA?

    HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996. The purpose of the Act was to increase the ease with which people could transfer their health care information from one insurer or provider to the next. Congress, as part of HIPAA, required the development of privacy regulations to protect the confidentiality of individually identifiable health care information. The final (HIPAA) privacy rule was issued on August 14, 2002. As of April 14, 2003, The University of Washington is in compliance with the Privacy Rule.

  • What is PHI?

    Protected Health Information is any information pertaining to:

    • the past, present, or future physical or mental health or condition of an individual;
    • the provision of health care to an individual; or
    • the past, present, or future payment for the provision of health care to an individual.

    PHI may be information that is recorded electronically, on paper, or orally. PHI may concern living people or dead people (referred to in the law as "decedents"). PHI does NOT include de-identified information or biological tissue with no accompanying information, such as an accession number or code number that may be linked to an identifier.

  • What is needed to request a "Waiver of HIPAA Authorization?"

    The UW IRB Committees use specific criteria in reviewing requests for a waiver of HIPAA authorization for research. In completing the Human Subjects Review Application (UW 13-11), researchers should explain how:

    • The use or disclosure of protected health information involves no more than minimal risk to the privacy, safety, and welfare of the individual;
    • The research could not practicably be conducted without the waiver or alteration;
    • The research could not practicably be conducted without access to the protected health information;
    • There is an adequate plan to protect the identifiers from improper use or disclosure;
    • There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    • There are adequate written assurances that the protected health information will not be re-used or disclosed to a third party except as required by law, for authorized oversight of the research, or as permitted by an authorization signed by the research subject

    In requesting this waiver, researchers should also provide the following information:

    • Detailed information about the types of protected health information that will be used, including how it will be used, who will have access to it, and when it will be destroyed;
    • What risks are posed by the use of the data, and how they have been minimized
    • The justification for access to the data and why they are necessary to conduct the research.
  • What kind of research and researchers are affected by the HIPAA regulations?

    Any kind of research conducted under the auspices of the UW and UW Medicine that creates or uses protected health information is subject to the HIPAA regulations. This includes such research activities as clinical trials, chart reviews, epidemiological studies, behavioral, and social science studies, as well as basic science research activities. It includes research that involves the provision of treatment as well as research that provides neither treatment nor diagnosis.

    All researchers, whether or not they are directly connected with UW Medicine, who wish to conduct research involving protected health information must complete HIPAA training before they will be allowed to have access to individually identifiable health information in any form.

  • Who is affected by HIPAA?

    All researchers (faculty, staff, or students) at the UW who access or create Protected Health Information (PHI) preceding or during the conduct of their research must comply with the HIPAA regulations.