Since HIPAA only applies to “identifiable” health information, it is permissible to disclose information, without patient authorization, when it has been “de-identified”. De-identifying patient information can be useful when, for example, a physician would like to publicly discuss a case for educational purposes.

However, “de-identification” involves more than simply removing the patient’s name. Absent a “formal determination by a qualified statistician”, all of the following must be removed to “de-identify” a patient’s health information:

  • names
  • geographic subdivisions smaller than a state (e.g., you cannot say “a woman from Detroit”) (note that the first three digits of a zip code are usually OK, unless it is a very unpopulated area, with less than 20,000 people)
  • all elements of dates pertaining to the individual (except that you can discuss the year of birth/patient’s age as long as they are not older than 89).
  • [this one is obvious] numbers identifying the individual including:  telephone, fax, social security, medical record numbers, health plan beneficiary numbers, certificate license numbers, VIN and serial numbers, license plate numbers, device identifiers and serial numbers.
  • e-mail and internet identifiers (e-mail address, URLs, IP addresses)
  • biometric identifiers, including fingers and voice prints
  • full face photographic images and any comparable images
  • any other unique identifying number, characteristic, or code; and
  • any information that the covered entity knows could be used alone or in combination with other information to identify the individual.

I bolded these last two because they are particularly important.  If a patient suffers from a rare disease or was a victim of a rare or widely publicized injury or accident, then any discussion of the patient’s diagnosis, injury or accident, could potentially violate HIPAA, even if the patient’s name is not used.

A recent example of enforcement was posted on the HHS Office of Civil Rights HIPAA website, where a hospital released information to the media regarding an unusual sporting accident including the date of the accident and the skull x-ray of the injured individual.

The patient was able to be identified because of the unusual nature of the injury and a HIPAA investigation ensued.