DE-IDENTIFIED DATA SETS

Definition

A de-Identified data set is a data set that meets both of the following:

• Does not identify any individual that is a subject of the data.
• Does not provide any reasonable basis for identifying any individual that is a subject of the data. 

There are two methods for de-identifying information:

1. Removal of Certain Identifiers

In order to be considered de-identified under this method, the following identifiers must be removed:

• Name
• Geographic subdivisions smaller than a state. 
• Dates directly related to the individual except year
• All ages over 89 and/or dates indicating an age over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social security numbers
• Medical record numbers
• Health plan numbers
• Account numbers
• Certificate or license numbers
• Vehicle identification/serial numbers, including license plate numbers
• Device identification/serial numbers
• Universal Resource Locators (URLs)
• Internet protocol (IP) addresses
• Biometric identifiers, including finger and voice prints
• Full face photographs and comparable images
• Any unique identifying number, code, or other similar information.

Importantly, these identifiers must be removed for the individuals as well as their relatives, household members, and employers (when applicable).  Additionally, the covered entity must have no actual knowledge that the remaining information could be used in order to identify the individual.

Note: Zip codes or equivalents must be removed; the first 3 digits of the geographic area to which the zip code applies may be retained if the zip code area contains more than 20,000 people.

2. Statistical Method

In order to be considered de-identified under this method, an individual with knowledge of and experience with generally accepted statistical and scientific methods for rendering information not individually identifiable must provide certification that the data is de-identified.  When making such a determination, the individual should find that the risk is very small that the information could be used (either alone or in combination with other reasonably available information) to identify any individual who is a subject of the data.  Additionally, the methods and results of the analysis must be documented. 

 

---

 

Creating a De-Identified Data Set

Research involving a de-identified data set is not regulated under the Common Rule However, if you or any member of your study team will be accessing PHI in order to create a de-identified data set, the project must comply with HIPAA Privacy Protections.

In order to comply with HIPAA Privacy Protections, you will need to request a Waiver of HIPAA Authorization prior to accessing any PHI.  This means the project will need to be reviewed by the Privacy Board.

To submit a project for Privacy Board review, you will need to complete a Not-Regulated Application thru eResearch.  In addition to the other required sections, you will need to be sure to complete Sections 25-1 and 25-5 of the application.  Once completed and submitted, the application will be forwarded by IRBMED Staff to the Privacy Board for consideration.

 

---

 

Using a De-Identified Data Set

Research using a pre-existing de-identified data set is not regulated under the Common Rule.  However, in order to ensure compliance with HIPAA Privacy Protections, the project should be reviewed by the Privacy Board. 

To submit a project for Privacy Board review, you will need to complete a Not-Regulated Application thru eResearch.  In addition to the other required sections, you will need to complete Sections 25-1 and 25-5 of the application.  Once completed and submitted, the application will be forwarded by IRBMED Staff to the Privacy Board for consideration.