De-Identified Information Policy

It is the policy of the Columbia University Healthcare Component (CUHC) to use and disclose de-identified information, rather than Protected Health Information (PHI) when appropriate and consistent with university and legal requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Reason(s) for the Policy

CUHC is committed to protecting patient privacy as mandated by applicable city, state, and federal laws and regulations and must comply with legal requirements, including HIPAA, and its policies, when de-identifying information and using or disclosing such information.

Primary Guidance To Which This Policy Responds

45 CFR §§ 164.502(d), 164.514

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the HIPAA Privacy Rule

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.

Exclusions and Special Situations

Refer to the Institutional Review Board Policy on the Privacy Rule and the Use of Health Information in Research for additional guidance on the use of de-identified information for research purposes.

De-Identification of PHI

Health information that does not identify an individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual, is not considered individually identifiable health information under HIPAA. A determination may be made that information is not individually identifiable health information only if one of the following methods of de-identification is used:

  1. Statistical Method: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and documents the methods and results of the analysis that justify the determination. Workforce members may rely on an expert determination of de-identification only if provided by an expert who is approved by the Privacy Office.
  2. Safe Harbor Method: The following identifiers of the individual and the relatives, employers, or household members of the individual, are removed, and CUHC has no actual knowledge that the information could be used alone, or in combination with other information, to identify the individual:
    • names (including initials);
    • all geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geographical codes;
    • all elements of dates (except year) for dates directly related to an individual, including birthdate, admission date, discharge date, date of service, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
    • telephone numbers;
    • fax numbers;
    • electronic mail addresses;
    • social security numbers (including partial SSNs);
    • medical record numbers;
    • health plan beneficiary numbers;
    • account numbers;
    • certificate or license numbers;
    • vehicle identifiers and serial numbers, including license plate numbers;
    • device identifiers and serial numbers;
    • Web Universal Resource Locators (URLs)
    • Internet Protocol (IP) address numbers;
    • bio-metric identifiers, including finger and voice prints;
    • full face photographic images and any comparable images; and
    • any other unique identifying number, characteristic or code.
 
Re-Identification of De-Identified Information
  1. CUHC may assign a code or other means of record identification to allow de-identified information to be re-identified provided that:
    • The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
    • CUHC does not use or disclose the code or other means of record identification for any other purpose and does not disclose the mechanism for re-identification.
 
General Rules
  1. PHI that has been de-identified in accordance with this policy is not subject to HIPAA and may be used for legitimate university purposes.
  2. PHI that has not been de-identified in accordance with this policy is considered to be Sensitive Data and shall not be accessed, maintained, used or disclosed by CUHC Workforce members except as permitted by CUHC policies, HIPAA, and applicable state law.
  3. CUHC may use PHI to create de-identified information and disclose de-identified information for legitimate university purposes.

 

Definitions

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.

Sensitive Data: any information protected by federal, state and local laws and regulations and industry standards, such as HIPAA, HITECH, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS. See the Columbia University Data Classification Policy for examples of Sensitive Data.

Workforce means employees, faculty, students and volunteers at, and other persons affiliated with CUHC whose work is under the direct control of CUHC, regardless of whether they are paid by CUHC.