L.C. Baxter Medical Library
De-Identification
Home
Ebooks
eReserves
Request a Search
Request an Article
Residents
Just For Nurses
Librarian's Favorites
About the Library
Continuing Education
WiFi

De-identification

Certain research projects can be accomplished through the use of de-identified data. For example, a de-identified data set might include age, gender, marital status, ethnicity, and relevant medical data or an unidentified tissue sample. De-identified data is not subject to HIPAA regulations.

To qualify as being de-identified under the Privacy Rule, the following data elements about the individual and the individual’s relatives, employers, or household members must be removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;

(C) All elements of dates (except year) for dates directly related to an individual including:

- birth date
- admission date
- discharge date
- date of death; and
- all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code.

If the investigator receives only de-identified data or samples, then the Privacy Rule does not apply. However, if the investigator him/herself views records that contain identifiable information and from those records extracts a de-identified data set, then the project must undergo human subjects review and must qualify for a waiver of privacy authorization. If the project does not qualify for a waiver of privacy authorization, an honest broker must be used to create the de-identified data set.