Issuu on Google+




HIPAA PHI Identifiers and Definitions

Harvard Professor Re-Identifies Anonymous Volunteers In DNA

Privacy & Security

“Res Non Verba” – Dan Picart


List of 18 Identifiers and
 Definition of PHI

unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such

1. Names;

geographic units containing 20,000 or

2. All geographical subdivisions smaller

fewer people is changed to 000.

than a State, including street address, city,

3. All elements of dates (except year) for

county, precinct, zip code, and their equiva-

dates directly related to an individual, in-

lent geocodes, except for the initial three

cluding birth date, admission date, dis-

digits of a zip code, if according to the cur-

charge date, date of death; and all ages

rent publicly available data from the Bu-

over 89 and all elements of dates (includ-

reau of the Census: (1) The geographic

ing year) indicative of such age, except


that such ages and elements may be ag-

For example, a subject's initials cannot be

gregated into a single category of age 90

used to code their data because the initials

or older;

are derived from their name. Additionally,

4. Phone numbers;

the researcher must not have actual knowl-

5. Fax numbers;

edge that the research subject could be

6. Electronic mail addresses;

re-identified from the remaining identifiers

7. Social Security numbers;

in the PHI used in the research study. In

8. Medical record numbers;

other words, the information would still be

9. Health plan beneficiary numbers;

considered identifiable is there was a way

10. Account numbers;

to identify the individual even though all of

11. Certificate/license numbers;

the 18 identifiers were removed.

12. Vehicle identifiers and serial numbers, including license plate numbers;
 13. Device identifiers and serial numbers;
 14. Web Universal Resource Locators (URLs);
 15. Internet Protocol (IP) address numbers;
 16. Biometric identifiers, including finger and voice prints;
 17. Full face photographic images and any comparable images; and
 18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) There are also additional standards and criteria to protect individual's privacy from reidentification. Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed.

Definition: What is PHI? Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or operations. For example, PHI is used in research studies involving review of existing medical records for research information, such as ret-


rospective chart review. Also, studies that

search study and the results will not be dis-

create new medical information because a

closed to the subject, and testing done

health care service is being performed as

without the PHI identifiers. Some genetic

part of research, such as diagnosing a

basic research can fall into this category

health condition or a new drug or device

such as the search for potential genetic

for treating a health condition, create PHI

markers, promoter control elements, and

that will be entered into the medical re-

other exploratory genetic research. In con-

cord. For example, sponsored clinical trails

trast, genetic testing for a known disease

that submit data to the U.S. Food and

that is considered to be part of diagnosis,

Drug Administration involve PHI and are

treatment and health care would be consid-

therefore subject to HIPAA regulations.

ered to use PHI and therefore subject to HIPAA regulations.

What is not PHI? In contrast, some research studies use data that is person-identifiable because it includes personal identifiers such as name, address, but it is not considered to be PHI because the data are not associated with or derived from a healthcare service event (treatment, payment, operations, medical records) not entered into the medical records, nor will the subject/patient be informed of the results. Research health information that is kept only in the researcher’s records is not subject to HIPAA but is regulated by other human subjects protection regulations.

Also note, health information by itself without the 18 identifiers is not considered to be PHI. For example, a dataset of vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints. These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials.

Examples of research health information not subject to HIPAA include such studies as the use of aggregate data, diagnostic tests that do not go into the medical record because they are part of a basic re-


A covered entity must, in accordance with § 164.306.

45 CFR 164.312 Technical safeguards.

(a)  (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

(2) Implementation specifications:

(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (ii)

(ii) Emergency access procedure (Required). Establish

(and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.


(iii) Automatic logoff (Addressable). Implement electronic procedures that termi-

nate an electronic session after a predetermined time of inactivity.

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt

and decrypt electronic protected health information.


Notes-Links HIPAA Administrative Simplification Regulation Text March 2013 Mobile devices, such as smart phones and tablets, typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured

Medicare & Medicaid EHR Incentive Program Registration & Attestation System

against a variety of threats. The purpose of this publication is to help organizations centrally manage the security of mobile devices. Laptops are out of the scope of this publi-

The Medicare and Medicaid Electronic

cation, as are mobile devices with minimal

Health Records (EHR) Incentive Programs

computing capability, such as basic cell

will provide incentive payments to eligible

phones. This publication provides recom-

professionals and eligible hospitals as they

mendations for selecting, implementing,

demonstrate adoption, implementation, up-

and using centralized management tech-

grading, or meaningful use of certified EHR

nologies, and it explains the security con-

technology. These incentive programs are

cerns inherent in mobile device use and

designed to support providers in this pe-

provides recommendations for securing

riod of Health IT transition and instill the

mobile devices throughout their life cycles.

use of EHRs in meaningful ways to help

The scope of this publication includes se-

our nation to improve the quality, safety,

curing both organization-provided and

and eďŹƒciency of patient health care.

personally-owned (bring your own device, BYOD) mobile devices.  HIPAA Administra-

This web system is for the Medicare and

tive Simplification Regulation Text March

Medicaid EHR Incentive Programs. Those


wanting to take part in the program will use this system to register and participate in the program. (Visit website)


The Privacy Rule allows covered entities to require that individu-

The HIPAA Privacy Rule’s Right of Access and Health Information Technology

als make requests for access in writing, provided they inform individuals of such a requirement. See 45 C.F.R. § 164.524(b)(1). In addition, the Privacy Rule has always considered electronic documents to qualify as written documents. Thus, the Privacy Rule supports covered entities’ offering individuals the option of using electronic means (e.g., e-mail, web portal) to make requests for access. (Click to Read More) 


Guidelines for Media Sanitization Draft NIST Special Publication 800-88  Recommendations of the National Institute of Standards and Technology The modern storage environment is rapidly evolving. Data generated by one organization may pass through systems and storage media of multiple other organizations before arriving at rest in the final destination. The pervasive nature of data propagation is only increasing as the Internet and data storage systems move towards a distributed cloud-based architecture. As a result, more parties than ever are responsible for effectively sanitizing media and the potential is substantial for sensitive data to have been collected and retained on the media. This responsibility is not limited to those organizations that are the originators or final resting places of sensitive data, but also intermediaries who transiently store or process the information along the way. The efficient and effective management of information from inception through disposition is the responsibility of all those who have handled the data.  (Read More)    

Guidelines for Managing and Securing Mobile Devices In the Enterprise (DRAFT) Special Publication 800-124  Recommendations of the National Institute of Standards and Technology Mobile devices, such as smart phones and tablets, typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured against a variety of threats. The purpose of this publication is to help organizations centrally manage and secure mobile devices. Laptops are out of the scope of this publication, as are mobile devices with minimal computing capability, such as basic cell phones. This publication provides recommendations for selecting, implementing, and using centralized management technologies, and it explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The scope of this publication includes securing both


organization-provided and personally-owned (bring your own device) mobile devices.  (Read More)    

HIPAA Security Rule Toolkit The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise.  (See Tool Page and Download)


DNA Study

Harvard Professor ReIdentifies Anonymous Volunteers In DNA Study

available in the Internet era could unravel personal secrets. From the onset, the Personal Genome Pro-

Harvard Professor Latanya Sweeney

ject, set up by Harvard Medical School Pro-

A Harvard professor has re-identified the

warned participants of the risk that some-

names of more than 40% of a sample of

one someday could identify them, mean-

anonymous participants in a high-profile

ing anyone could look up the intimate

DNA study, highlighting the dangers that

medical histories that many have posted

fessor of Genetics George Church, has

ever greater amounts of personal data


along with their genome data. That day ar-

records. Of these, Sweeney succeeded in

rived on Thursday.

naming 241, or 42% of the total. The Per-

Professor Latanya Sweeney, director of the Data Privacy Lab at Harvard, along with her research assistant and two students scraped data on 1,130 people of the now more than 2,500 who have shared

sonal Genome Project confirmed that 97% of the names matched those in its database if nicknames and first name variations were included. She describes her findings here.

their DNA data for the Personal Genome

Sweeney has also set up a web page for

Project. Church’s project posts information

anyone to test how unique their birthdate,

about the volunteers on the Internet to

gender and zip are in combination. When I

help researchers gain new insights about

tried it, I was the only match in my zip

human health and disease. Their names do

code, suggesting that I, like so many oth-

not appear, but the profiles list medical

ers, would be easy to re-identify. “This al-

conditions including abortions, illegal drug

lows us to show the vulnerabilities and to

use, alcoholism, depression, sexually trans-

show that they can be identified by name,”

mitted diseases, medications and their

she said. “Vulnerabilities exist but there are

DNA sequence.

solutions too.” (Personal disclosure: I work closely with Professor Sweeney in the Harvard Department of Government on topics related to my book research on the business of personal data, but was not involved with this study). On Thursday, researchers and participants

Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three key pieces of information she needs to identify anonymous people combined with information from voter rolls or other public

in the Personal Genome Project gathered in Boston for a conference timed to mark the 60th anniversary of James Watson and Francis Crick’s publication of their discovery of the DNA double helix structure in April 1953. Sweeney and her research as-


sistant set up a table at the conference

crimination, I’m not worried about health

where participants could find out whether

care,” he said. Smith is independently

they could easily be identified. Sweeney

wealthy after having sold his company to

sought not to out the study participants,

Yahoo. “I’m retired.”

but rather to demonstrate to them how providing a little less information–for example, just birth year rather than exact birth date, and three digits rather than five or nine from the zip code–could help preserve anonymity for participants.

Volunteer Lenore Snyder, however, said that she did not want to be identified and as a result did not provide her zip code and some other identifying characteristics in her profile. She said her genetic testing

Several participants said they expected someone would one day re-identify them and said they were not particularly concerned. Volunteer Gabriel Dean said he was far more worried about another future threat forecast by the experiment, that one day criminals might be able to replicate DNA and place some at the scene of a crime. The conference took place a few blocks from the scene of the Boston Marathon bombing earlier this month. k HendricksonContributor Another “outed” particiapant, James Smith, a 59-year-old who lives outside Chicago, says he has an additional layer or protection because his name is so common. He said his genetic testing showed he had a greater possibility of developing Alzheimer’s disease than a typical person, but said he was “not worried about job dis-

suggests she has an intellectual disability, even though she is a molecular biologist with a PhD. “People don’t know how to interpret this,” she said. “It’s dangerous. A little bit of information is dangerous.” Sweeney’s latest findings build on a 1997 study she did that showed she could identify up to 87% of the U.S. population with just zip code, birthdate and gender.  She was also able to identify then Massachusetts Gov. William Weld from anonymous hospital discharge records.


The same techniques could be used to

possible to accurately predict all of the pos-

identify people in various surveys and re-

sible risks and discomforts that you might

cords, pharmacy purchases, or from a

experience,” the 24-page consent form

wide variety of seemingly anonymous ac-

tells users.  Later it specifies some possi-

tivities such as Internet searches. Figuring

ble risks: “The data that you provide to the

out clues about people could also enable

PGP may be used, on its own or in combi-

identity theft. “I believe that many people

nation with your previously shared data, to

in the current interconnected digital world

identify you as a participant in otherwise

are not aware of how easy it is to identify

private and/or confidential research.”

them with a high level of granularity,” says Keith Batchelder, the founder of Genomic Healthcare Strategies in Charlestown, Massachusetts, and one of the first ten volun-

Volunteers take an online exam about the risks they face before they are allowed into the program. And the test does not pose a

teers in the Personal Genome Project.

universal ‘you do understand the risks”

Church, who maintains a thick mountain-

quires a perfect score. Potential volunteers

man beard, says that advances in data

can take the test as many times as they

and in medicine make it impossible to guar-

want until they pass. One person took the

antee anonymity for most medical experi-

test 90 times before passing.

ment volunteers. Church has participated as a volunteer himself in past medical studies and scoffs at claims that such data can remain anonymous.  Every year his university sends him an anonymous survey. He scribbles in some additional information at the beginning of the form. “My name is George Church, you could figure that out

question. It has 20 questions and he re-

Given what Church sees as the flaws in preserving privacy in the Internet age, he has embraced openness about many aspects of his own history. On hispersonal home page he posts the exact coordinates of his home, his birthdate and parents, medical problems (heart attack, carci-

anyway,” he writes.

noma, narcolepsy, dyslexia, pneumonia,

His Personal Genome Project makes no pri-

1976 letter booting him out of Duke Univer-

vacy promises at all.  “The Personal Ge-

sity for getting an F in his graduate major

nome Project is a new form of public ge-


motion sickness) and even a copy of the

nomics research and, as a result, it is im-


Many of the early participants in the Personal Genome Project share the same ‘let it all hang out’ ethos. Volunteer Steven Pinker, a well-known experimental psychologist and author of the 2011 book “The Better Angels of Our Nature,” posts his genome and a 1996 scan of his brain on his web page. He says even data as in depth as his genome and medical records does not provide especially deep insights into a person. “There just isn’t going to be an ‘honesty gene’ or anything else that would be nearly as informative as a person’s behavior, which, after all, reflects the effect of all three billion base pairs and their interactions together with chance, environmental effects, and personal history,” he says. “As for the medical records, I just don’t think anyone is particularly interested in my back pain.” Could companies use medical information to single out people to deny them services? Might a bank, for example, turn down a loan to someone because their health records suggest they may die at a young age? Even though Church expected reidentification of his volunteers, he does not think so. “These companies are not yet highly motivated to do that and probably judging from the way the winds blowing on the Genetic Information Nondiscrimination Act they would be ill advised to do that from a public relations standpoint,” he says, referring to the 2008 law. In a different study released earlier this year, researcher Yaniv Erlich at the Whitehead Institute for Biomedical Research in Cambridge, Massachusetts, was also able to re-identify almost 50 people participating in a different genomic study. He said that he does not know of anyone who has suffered harm to date from such re-identifications, but pointed out the current ethical debate “emerged from the very bad history of the field in the first half of the 20th century, where bad genetic and abundance of records of familial genealogy contributed to one of the most horrific crimes.” Misha Angrist, an assistant professor of the practice at the Duke Institute for Genome Sciences & Policy and one of the original ten to participate in the Personal Genome Project, praises the re-identification experiments by researchers such as Sweeney and Erlich. “It is a nuisance to scientists who are trying to operate under the status quo and to tell their participants with a straight face, you know, it’s very unlikely that you will be identified,” he


says. “It is useful for pointing out that the

emperor has no clothes, that ab-

solute privacy and confidentiality are illusory.�


Step-by step guide on how to protect your network from spam - Author: edfisher

Step two-web content Spammers frequently scan websites looking for embedded email addresses in contact information. Raise awareness with your web developers and establish a pol-

Intro Spam, or more accurately Unsolicited Commercial Email, is still on the rise, with some estimates measuring it at 90% of all email traffic. It’s a nuisance for users, a storage nightmare for admins, and often a vector for phishing attacks and malware. Using a defense in depth approach, this article provides steps an email administrator can take to protect their network from spam.

Step one-user training Users should be educated on how their actions can lead to or reduce the amount of spam destined for their inbox. Using corporate email for personal use, subscribing to mailing lists, registering their email address for promotions and giveaways, and forwarding chain mails are all vectors that can lead to spam. Consider disabling html support to prevent downloads that can confirm an address is valid, as well as to reduce the risk of email based malware.

icy that all email addresses in web pages should be masked using JavaScript or other encoding that allows a person to click or read the address, but makes it more difficult for a spider to harvest it. Use contact forms when possible instead of displaying email addresses.

Step three-tighten up your SMTP gateway Disabling the verify command (VRFY) on your SMTP gateway makes it that much harder for spammers to check for valid email addresses. If supported, implement a delay before your server responds to a request with its banner. Legitimate email servers will wait for the 220 response before trying to send email, while many programs/scripts used by spammers will not. Your server can then drop email from this misbehaving sender. If your SMTP gateway supports Quit detection, configure it to drop email that it receives from a host that don’t close the session properly. Legitimate email servers end a session with the QUIT command, but many


programs/scripts used by spammers

Software should be added to the email sys-


tem to perform anti-spam and antimalware checks on messages before they

 Step four-Check for MX and SPF 

get to the user’s inbox. Look for features

Email servers that can receive mail should

ing, Bayesian filtering, DNS blocking lists,

all have valid MX records in DNS. Those

attachment spam blocking, robust logging,

that send email should also have SPF re-

archiving, and white/black/greylisting. You

cords. Sender Policy Framework (SPF) re-

want software that can minimize false posi-

cords are txt records in a DNS zone that

tives, maximize successful blocking, and

list servers authorized to send email on be-

that can be configured to always pass key

half of a domain. Configure your SMTP

communications from business partners if

gateway to check for MX and SPF records

necessary. The software should also sup-

when accepting an email to verify the send-

port user self-service for checking/

ing domain of the from address matches

releasing email, and recommendations for

what is in DNS. You may have to soft fail

whitelisting to reduce the administrative

some messages until SPF gains in popular-


like reputation checking, key word check-

ity, but this can help later lines of defense to identify spam.

Step seven-Keep your mail clients up to date

Step five-Configure limits on your incoming SMTP gateway

Many email clients have their own junk

Configure your email server to limit the

storing messages identified as spam. It is

number of addressees in an individual mes-

critical to keep up with patches and up-

sage, the total number of messages from a

dates to these client-based filters. Better

specific ip.addr during a set time, and to

server-based filtering solutions can work

automatically reject any email from source

with the client software to deliver email

ip.addrs that violate these limits.

identified as possible spam to the user’s

Step six-Implement quality filtering software

mail or spam filters and a special folder for

junk mail folder for easier user self-service.

Step eight-Ensure your systems are not a part of the problem


Spammers love to take advantage of legiti-

mate email systems to send their mes-


sages. Make certain that your system is


not an open relay. Use MX and SPF records for all your outgoing traffic. Select filtering software that can perform the same services on outgoing email as it does for incoming, and set sensible limits on the number of emails a user can send, and the number of recipients on a single message.


MailRadar Open relay


Email address

munger/encoder http://www.addressmung

If your company uses mailing lists, make

sure that they only use “opt-in” mailing


Tips to protect your network from

lists that comply with the requirements of ▪

the CAN-SPAM Act of 2003. Act immedi-

ately on unsubscribe requests, and make

can be found at

sure that you remove addresses from the list that generate NDRs. Periodically requesting subscribers to confirm their opt-

GFI anti-spam solution software

  This guest post was provided by Ed Fisher

in also helps to ensure your emails are not viewed as spam.

Wrap up Used together, these eight simple steps will help protect your network from spam, your users from malware, and greatly reduce the amount of junk email that reaches your users’ inboxes, takes up valuable storage space, and adds to the load on your servers. Would you like to know more?


Recpr premier issue jul 2013