Anonymizing protected health information

Protected health information (PHI) is anonymized when patient data needs to be shared, analyzed, or utilized without compromising individual privacy, such as in research, public health reporting, regulatory compliance, and data sharing with third parties. The anonymization process allows organizations to leverage valuable healthcare data to improve patient care, advance medical research, and develop new healthcare products while keeping patient identities safe. 

Two approaches to de-identifying PHI

When it comes to anonymizing PHI, there are two primary methods recognized under HIPAA:

Safe harbor method

In the Safe Harbor method, “the following identifiers of the individual or of relatives, employers, or household members of the individual, are removed." These include:

• Names
• All geographic subdivisions smaller than a state (e.g., street addresses, city, county)
• All elements of dates (except year) related to an individual (e.g., birthdate, admission date)
• Telephone numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• URLs
• IP addresses
• Biometric identifiers (e.g., fingerprints)
• Full-face photographs and any comparable images
• Any other unique identifying number, characteristic, or code

By removing these identifiers, the data is considered de-identified under HIPAA, meaning it is no longer subject to the regulations that apply to PHI.

Related: What are the 18 PHI identifiers?

Expert determination method

In this approach, an expert applies statistical or scientific principles to determine that the risk of re-identification of the individual is small. This method is more flexible than the Safe Harbor method, as it allows for some identifiers to remain if the expert deems they do not pose a significant re-identification risk.

Techniques for anonymizing PHI

To effectively anonymize PHI, a variety of data masking techniques can be used:

• Suppression: The most straightforward method, suppression involves removing or redacting identifiable information entirely and is most suitable for information that is not crucial for the analysis or study.
• Generalization: This technique involves replacing specific information with broader categories. For example, instead of recording a precise age, the data might show an age range (e.g., 30-40 years old), preserving some utility while protecting individual identities.
• Randomization: Randomization alters the data to make it less specific but useful for analysis. For example, dates might be shifted by a random number of days to obscure the exact timing of events.
• Pseudonymization: This approach replaces private identifiers with fake identifiers or pseudonyms, allowing for the possibility of re-linking data if necessary, provided the key to the pseudonymization is kept secure.

See also: HIPAA Compliant Email: The Definitive Guide

Maintaining data quality and utility

A significant challenge in anonymizing PHI is balancing privacy with data utility. Over-anonymizing data can render it useless for analysis, while under-anonymizing it can leave individuals vulnerable to re-identification. Striking this balance requires consideration of the data’s intended use and the methods applied.

Legal and ethical considerations

Beyond the technical aspects, anonymizing PHI carries legal and ethical responsibilities. Compliance with local regulations, such as HIPAA is mandatory. However, even in regions without strict legal requirements, ethical considerations should guide your approach. Consulting with legal and privacy experts can ensure that your anonymization efforts meet all necessary standards.

FAQs

What is protected health information (PHI)?

PHI refers to any information in a medical record or shared during a doctor-patient interaction that can be used to identify an individual, including names, addresses, birth dates, Social Security numbers, medical records, and more.

Go deeper: What is protected health information (PHI)?

What does it mean to anonymize PHI?

Anonymizing PHI means removing or altering personal identifiers in the data so individuals cannot be readily identified. Anonymization protects patient privacy while allowing the data to be used for research, analysis, and other purposes.

Can anonymized data be re-identified?

In theory, anonymized data can be re-identified if sufficient additional information is available or if the anonymization process is not thorough. However, proper anonymization techniques should minimize this risk.