If you are sharing data with other HIPAA-covered entities or those with whom you have a business associate agreement, a range of data can be shared comfortably. But if you are considering information exchange with a non-covered entity—such as a research center—or for quality reporting or analytics, then you have to go through the process of de-identification. 


In ideal circumstances, any data in question leaving the practice is de-identified before it is out of your hands. There are 2 ways to do this. First, you can take a data set and remove 18 identifiers required under HIPAA. These include such identifiers as names, locale, and Social Security, telephone, and fax numbers.  The information is taken from the medical record and placed into a spreadsheet ready for sharing. You can assign a code that enables you to re-identify the information, but it cannot be related to any identifiers in the data.

The second way to de-identify data is through external verification, whereby a third-party vendor with knowledge of making medical information unidentifiable provides certification that there is a low risk that patients could be recognized.

Choose carefully

Cases in which you might want to use a professional for de-identification certification include:

  • Patients with rare conditions. If only 5 people in the a state have a condition, that, along with other information, might be enough to identify him or her.
  • Collaboration with a group of doctors amassing data to evaluate something like quality and then placing this information on the Web. Steven Waldren, MD, director of the alliance for e-health and innovation at the American Academy of Family Physicians, recommends going through a professional any time the data will be made public.
  • When dealing with conditions like sexually transmitted diseases or other sensitive issues.
  • Identifiable age cohorts. For instance, you might have a handful of patients over age 90 who could be re-identified when data like medical condition or region are included.

Depending upon the data being pulled, de-identification may not even be necessary, such as when you provide numbers related to the prevalence or incidence of disease. In these cases, there should be no identifiers to be removed.

You may have to look twice at data collection, for instance, that calls for information on a particular disease and when patients were seen, co-morbidities, and lab data. This will require some work to ensure anonymity.