In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
Applies to all members of the UW HCC.
Health information that is "de-identified" in accordance with the HIPAA Privacy Rule does not identify any individual patient(s) or research subject(s) and there is no reasonable basis to believe that the information can be used to identify any individual.
Health information that is de-identified in accordance with the HIPAA Privacy Rule does not constitute protected health information and is not subject to HIPAA's requirements for the use and disclosure of protected health information. This policy describes how protected health information may be de-identified in accordance with the HIPAA Privacy Rule.
A UW HCC unit may use protected health information to create de-identified information, whether or not the de-identified information is to be used by the UW HCC unit or disclosed to another entity or individual, without authorization from the individuals whose identifiers appear in the protected health information.
De-identification must be carried out by individuals who are authorized under applicable institutional policies and procedures to access and work with protected health information.
The ability of a UW HCC unit to use protected health information to create de-identified information, in accordance with HIPAA and this policy, does not create a right of access to protected health information for individual employees, students, or agents.
A UW HCC unit may disclose protected health information to a business associate in order to create de-identified information, whether or not the de-identified information is to be used by the UW HCC unit or disclosed to another entity or individual, without authorization from the individuals whose identifiers appear in the protected health information.
Additional requirements apply before disclosing protected health information to a business associate. (See UW-116 Managing Arrangements of Business Associates with the University of Wisconsin-Madison).
Health information is de-identified under HIPAA only by meeting the requirements set forth in sections A or B, below. Further, UW–Madison requires verification of de-identification as set forth in section C, below.
Please note: Health information derived from free text (including, but not limited to, free-text medical record entries and transcriptions of interviews or videos) often requires extensive manipulation to achieve de-identification.
Safe Harbor De-Identification. To achieve de-identification using HIPAA’s “Safe Harbor” method, the following identifiers must be removed relating to an individual (a patient or research subject) and the individual’s relatives, employers, or household members, and the UW HCC may not have actual knowledge that the information (after removal of the identifiers) could be used alone or in combination with other information to identify an individual who is a subject of the information.
Examples of “other information” that would allow identification of an individual include: status as a member of an athletic team or community organization, a unique occupation (such as a politician, judge, specialty medical provider, niche service provider), details from a situation that likely received media attention (such as a motor vehicle accident or another traumatic event) recognition as an author or expert about a certain topic, or identification as one of a set of multiple children (especially triplets, quadruplets, etc. – whose birth may be publicized).
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
Datasets of health information that include specific dates or months are not de-identified. See UW-115: Limited Data Sets of Protected Health Information and Data Use Agreements.
The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual (i.e., the code may not include or be based on any of the identifiers listed above in Section II.A, such as initials or dates).
The requirements of the HIPAA Privacy Rule and of III.A.1 and III.A.2 of this policy differ from the data-coding requirements of 45 CFR 46 (known as the “Common Rule”).
The UW HCC unit does not use or disclose the code or other means of record identification for any other purpose (other than re-identification) and does not disclose the mechanism for re-identification or store it with the coded de-identified information.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa.
07-13-2014: Effective date of the revised policy: 07-13-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
02-03-2021: Effective date of the revised policy: 02-03-2021.
03-30-2021: Effective date of the revised policy: 03-30-2021.
05-17-2021: Effective date of the revised policy: 05-17-2021.