HIPAA FAQs

De-identified Patient Information

How can I use de-identified patient information?
If the information is truly de-identified under HIPAA, it is not PHI and you do not need an Authorization to use it for classroom and other educational presentations, publications, promotions or other purposes.

How do I know if the information is de-identified?

Ask these questions:
• Does the information include the patient’s name, initials, social security number or medical record number?
• Does the information include any dates relating to the patient, such as patient date of birth, date of treatment, dates of appointments?
• Does the information include geographic identifiers, such as the patient’s address, or even the patient’s town or zip code?
• Does an image (photo or video) show the patient’s face?
• If the image does not show the patient’s face, is it possible to identify the patient from what is shown?
• Does the information or image include any of the 18 HIPAA identifiers? See complete list in BU HIPAA Policy 1.4, http://www.bu.edu/policies/information-security-home/hipaa_toc/hipaa-basics/
• Does the information include any other element that may be used alone or together with other available information to identify the patient?

If you answer yes to any of these questions, you need an Authorization.

Examples of De-identified Patient Images (no Authorization needed):
• Video showing patient’s gait when showing only from the shoulders down
• Photo or video of the patient walking that shows only patient’s back
• Images of body parts that are not identifiable

Examples of De-identified Descriptions (No Authorization Needed):

73-year-old, active woman underwent a routine cardioversion for atrial fibrillation but developed multiple complications, including sepsis and respiratory failure, resulting in weakness.

Patient is a 30-year-old female with a history of right-sided headaches, after a motor vehicle accident, which occurred 1 month ago. Since the accident she reports having constant headaches. Her pain is described as a dull ache. The pain is located in the neck, back of the head, and it sometimes travels to the front of the head and into the eye. She reports daily headaches that can last anywhere from 30 minutes to hours

Example of Identifiable Descriptions (Authorization Needed):

Ms. Wilson was born in July of 1953 and has worked for 40 years as a welder. Her COPD was first diagnosed in 2007. In the last quarter of 2017, she had a series of 3 COPD exacerbations. These exacerbations required medical intervention with antibiotic treatment and oral steroids; she was hospitalized at Boston Medical Center briefly during the last event.

Key Definitions

PHI: For this purpose, assume PHI is any information GSDM has about any of its patients. This includes registration and payment data, demographics, the patient medical record, oral information, photos, other images and audio/video records.
Deidentified PHI: PHI from which you have removed patient name, dental record number, address, contact information and all dates (DOB, treatment dates, etc.). See complete list at BU HIPAA Policy 1.4: http://www.bu.edu/policies/information-security-home/hipaa_toc/hipaa-basics/
Patient Authorization: A signed form in which the patient gives authorization for his/her PHI to be used for a purpose other than treatment, payment and health care operations.
Minimum Necessary Rule: Always use the minimum amount of patient information needed.