UC Berkeley IDs its interpretation of identifiers.
When you’re facing the wrath of auditors – or worse – it’ll be too late to know what constitutes a HIPAA data breach and what doesn’t.
Good news: There are 18 “identifiers” that the feds feel constitute a HIPAA breach, according to the University of California, Berkeley Research Administration and Compliance Office (RAC).
Get ahead of the curve with this quick trip down data breach lane, replete with the identifiers the feds look at most closely when considering HIPAA violations.
According to RAC, these are the areas medical offices should be most concerned about when protecting their patients’ HIPAA rights:
(NOTE: This is not a comprehensive list of “identifiers;” these are merely the areas that most affect patients’ privacy concerns, as opposed to staff and business associates.)
Also, if your practice codes patient information to protect privacy and then uses it in datasets, there are separate standards, RAC reports.
See also: Keep Feds Abreast Of All HIPAA Breaches
“Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes,” according to RAC.
Example: You cannot use a patient’s initials to code her data because the initials are derived from the patient’s name.
Best bet: Make sure you don’t have any holes in your HIPAA compliance. Check out the full list of HIPAA identifiers at http://cphs.berkeley.edu/hipaa/hipaa18.html.