HIPAA Compliance and Medical Privacy:
PreViser ID as De-Identified Code

PreViser ID and HIPAA-compliant Privacy

By using the PreViser ID as the only identifying tag for the data transmitted to perform a Risk Calculation, PreViser uses the "safe harbor" method for de-identification, by removing all of a list of 18 enumerated identifiers from protected health information.

Relevant excerpts from the Privacy Rule are as follows (with emphasis added):

De-Identification of Protected Health Information:
Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

The Privacy Rule permits a covered entity to de-identify protected health information so that such information may be used and disclosed freely, without being subject to the Privacy Rule's protections. Health information is de-identified, or not individually identifiable, under the Privacy Rule, if it does not identify an individual and if the covered entity has no reasonable basis to believe that the information can be used to identify an individual.

The Privacy Rule also allows for the covered entity to assign a code or other means of record identification to allow de-identified information to be re-identified by the covered entity, if the code is not derived from, or related to, information about the subject of the information. For example, the code cannot be a derivation of the individual's social security number, nor can it be otherwise capable of being translated so as to identify the individual. The covered entity also may not use or disclose the code for any other purpose, and may not disclose the mechanism (e.g., algorithm or other tool) for re-identification.

The PreViser ID is designated as the code described in the paragraph above, and is the only identifying tag transmitted over the Internet for a Risk Calculation.

When the data is transmitted back to your system and is behind the firewall at your practice, the Patient information is "re-identified," linked to that individual's Patient ID and Patient details. Therefore, you need to treat it as protected health information according to HIPAA Privacy Rule standards.

Next, we will look at the exceptions that must be made if a Patient is age 90 or over.