Tooltip Categories: HIPAA (Health Insurance Portability and Accountability Act)

A code or element of a data that can be used to link research data to an individual. The HIPAA Privacy Rule standard for de-dentification specifies 18 direct identifiers, listed below, that makes a dataset identifiable:

1. Names
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
   a. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
   b. the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Telephone numbers
5. Vehicle identifiers and serial numbers, including license plate numbers
6. Fax numbers
7. Device identifiers and serial numbers
8. Email addresses
9. Web Universal Resource Locators (URLs)
10. Social security numbers
11. Internet Protocol (IP) addresses
12. Medical record numbers
13. Biometric identifiers, including finger and voice prints
14. Health plan beneficiary numbers
15. Full face photographic images and any comparable images
16. Account numbers
17. Any other unique identifying number, characteristic, or code (unless otherwise
    permitted by the Privacy Rule for re-identification)
18. Certificate/license numbers

HIPAA: Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy Rule

Also referred to as the Privacy Rule, the implementing regulations of HIPAA (Health Insurance Portability and Accountability Act) that address the privacy and rights of individuals with respect to Protected Health Information (PHI), found at 45 CFR Part 160 and Subparts A and E of Part 164. SMART IRB: Glossary; HIPAA: Summary of the HIPAA Privacy Rule

A health care provider, health plan, or health care clearinghouse subject to the HIPAA Privacy Rule. HIPAA: Summary of the HIPAA Privacy Rule

A written authorization for any use or disclosure of Protected Health Information (PHI) that is not for treatment, payment or health care operations or otherwise permitted or required by the HIPAA Privacy Rule. HIPAA: Summary of the HIPAA Privacy Rule

The assurance that a participant’s private information, including Protected Health Information (PHI), will not be disclosed beyond the scope agreed upon in the Informed Consent Form (ICF) and HIPAA authorization, as applicable. Confidentiality is an extension of the term privacy applicable to data about the participant.

A person or organization, other than a member of a HIPAA covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of Protected Health Information (PHI). Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity. HIPAA: Summary of the HIPAA Privacy Rule

A required legal document that defines the relationship, roles and responsibilities of a business associate and a HIPAA covered entity for safeguarding Protected Health Information (PHI) in compliance with the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule. All BAAs accompany some other type of underlying agreement. Typically, the accompanying agreement defines the terms of the relationship between parties, but sometimes, these underlying agreements can be as simple as a purchase order. Both the business associate and HIPAA covered entity are directly liable for HIPAA violations and impermissible disclosures of PHI. The terms within a BAA determine how the parties choose to contract for that liability. HIPAA: Summary of the HIPAA Privacy Rule

If your UNC-Chapel Hill department is using a 3^rd party vendor for any purpose that involves the disclosure of PHI to that vendor or permits the vendor to access or transmit PHI on you or your department’s behalf, you need a contract with that vendor that includes a BAA. Questions regarding how to obtain a BAA should be directed to your unit’s Privacy Liaison or Purchasing. Additional information about how to obtain a BAA is available on the UNC-Chapel Hill Institutional Privacy Office (IPO) BAA webpage.

A disclosure of a participant’s private information beyond the scope of confidentiality agreed upon by the participant in the Informed Consent Form (ICF) and HIPAA authorization, as applicable. Examples of breaches of confidentiality are available in UNC Health’s Confidentiality Statement.