The primary goal of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is to safeguard Protected Health Information (PHI). In this article, you will learn about de-identifying PHI in order to remain HIPAA compliant when performing Teletherapy.
De-identifying information is basically the act of removing personal, identifiable information. When sharing and storing information electronically you are required to do everything you can to keep your client’s information private and secure. The HIPAA Privacy Rule has two methods for de-identifying; Expert Determination & Safe Harbor. According to the Office of Civil Rights (2015) an expert is, “a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable…” I don’t know about you, but I’m not an expert. For that reason, I use the Safe Harbor Method.
Safe Harbor Method
This method consists of removing personal identifiers when sharing information. The following list was taken directly from the U.S. Department of Health & Human Services (HHS) website and was created by the Office of Civil Rights (2015). For updated lists and more detailed information, check out the HHS link provided above.
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(a) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
(b) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Web Universal Resource Locators (URLs)
- Social security numbers
- Internet Protocol (IP) addresses
- Medical record numbers
- Biometric identifiers, including finger and voice prints
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code, except as permitted under the security rule (see HHS website)
- Certificate/license numbers
So what do you need to do?
Use a HIPAA compliant software for storing and sharing information. Some examples include patient portals, electronic health records (EHR) software and Google Drive. Only use services that provide a Business Associate Agreement (BAA). There are many options out there with varying price ranges. The simplest way to keep information safe is by using software that has been created to keep information private and safe.
What about email?
If your client emails you, they do not have to adhere to HIPAA standards. However, once you receive the email, you must store it using HIPAA compliant methods. When you email your clients, you have to take precautions to ensure that your email only contains the necessary information and that it is being sent securely to the right person. Never email PHI. I recommend that you sign up for a HIPAA compliant email service that offers a BAA. HIPAA compliant email service should take care of data encryption for you. Many EHRs offer email services and patient portals where PHI can be shared or viewed because the data is encrypted. To learn more about a BAA check out the article, “BAA: Why You Need It.”
The Office of the National Coordinator for Health Information Technology (ONC) is a great resource for learning about ways to keep PHI safe. Click this link to read the 10 tips they’ve put together to help with protecting electronic PHI.
For a HIPPA Security Checklist, check out this link.