§ 9. PROCEDURE FOR DEIDENTIFICATION OF PHI.
   (A)   The department and the village have a duty to protect the confidentiality and integrity of PHI as required by law, professional ethics, and accreditation requirements. Whenever possible, de-identified PHI should be used. De-identified PHI is rendered anonymous when identifying characteristics are completely removed. PHI must be de-identified prior to disclosure to non-authorized users. This policy defines the guidelines and procedures that must be followed for the de-identification of PHI.
   (B)   All workforce members must strictly observe the following standards relating to the deidentification of PHI:
      (1)   De-identification requires the elimination not only of primary or obvious identifiers, such as the patient's name, address, date of birth (DOB), and treating physician, but also of secondary identifiers through which a user could deduce the patient's identity. For information to be de-identified the following identifiers of the individual (or of relatives, employers, or household member of the individual) must be removed:
         (a)   Names;
         (b)   Address information smaller than a state, including street address, city, county, zip code (except if by combining all zip codes with the same initial three digits, there are more than 20,000 people);
         (c)   Names of relatives and employers;
         (d)   All element of dates (except year), including DOB, admission date, discharge date, date of death; and all ages over 89 and all elements of dates including year indicative of such age except that such ages and elements may be aggregated into a single category of age 90 or older;
         (e)   Telephone numbers;
         (f)   Fax numbers;
         (g)   Email addresses;
         (h)   Social Security Number (SSN);
         (i)   Medical record number;
         (j)   Health beneficiary plan number;
         (k)   Account numbers;
         (l)   Certificate/License Number;
         (m)   Vehicle identifiers, including license plate numbers;
         (n)   Device ID and serial number;
         (o)   Uniform Resource Locator (URL);
         (p)   Identifier Protocol (IP) addresses;
         (q)   Biometric identifiers;
         (r)   Full face photographic images and other comparable images; and
         (s)   Any other unique identifying number characteristic, or code.
      (2)   Whenever possible, de-identified PHI should be used for quality assurance monitoring and routine utilization reporting.
      (3)   PHI used for research, including public health research, should be de-identified at the point of data collection for research protocols approved by the IRB, unless the participant voluntarily and expressly consents to the use of his or her personally identifiable information or an IRB waiver of authorization is obtained.
      (4)   If an authorized user wishes to encrypt PHI when creating de-identified information the authorized user must ensure that:
         (a)   The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
         (b)   Anyone involved in the research project does not use or disclose the code or other means of record identification and does not disclose the mechanism to accomplish re-identification.
      (5)   If removal of any identifiers is not practical or does not meet business needs, and the use of PHI is still required, approval must be obtained from the Privacy Officer, without exception.
   (C)   The department's Privacy Officer is responsible for enforcing this policy, and shall be entitled to the assistance of the Village Manager in doing so, if such assistance should be needed. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process under this policy and the applicable ordinances of the village, up to and including termination or dismissal.
(Ord. 0030-03, passed 4-2-03)