You are here: Home / Privacy Policy

Policy Summary:      

Individually identifiable health information pertaining to clients of Heritage Companies must be kept confidential, and only used or disclosed in accordance with HBC policies.  However, if the client cannot be identified, the information may be used or disclosed for additional purposes.  If information is properly de-identified, it is no longer subject to federal HIPAA Privacy regulations.  However, as an additional security measure, HBC should make every effort to limit the use of de-identified information to the purpose for which it was de-identified.

Purpose:

 This policy restates the federal rules regarding the de-identification of individually identifiable health information, and its use and disclosure at HBC

Policy:

  1. Information that is de-identified is not subject to policies and procedures that limit the use and disclosure of protected health information as required by federal HIPAA Privacy regulations.  Individually identifiable health information may be de-identified in either of two ways:  the statistical method and the “safe harbor” method.
  2. Statistical Method:

          a. A statistician will review the de-identification procedure.  A statistician is a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individual identifiable.

           b. Applying such principles and methods, the reviewer will determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.

          c. The reviewer must document the methods and results of the analysis that justify this determination.

3.  ”Safe harbor” Method: The following identifiers of the individual or of relatives, employers, or household members of the individual are all removed.

              a. Names

              b. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three digits of a zip code if according to the current publicly available data from the Bureau of the Census:

                                       i.  The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

                                        ii      The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;

[NOTE:  According to 2000 Census data, the following three-digit Zip Code Tabulation Areas (ZCTAs) have a population of 20,000 or fewer persons.  To produce a de-identified data set using the safe harbor method, all records with three-digit zip codes corresponding to these three-digit ZCTAs must have the zip code changed to 000.  The 17 restricted zip codes are:  036,102,203,556,692,790,821,823,830,831,878,879,884,890, and 893] 

  1. All elements of dates (except year) for dates directly related to and individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  2. Telephone numbers
  3. Fax numbers
  4. Electronic mail addresses
  5. Social security numbers
  6. Medical record numbers
  7. Health plan beneficiary numbers
  8. Account numbers
  9. Certificate/License numbers
  10. Vehicle identifiers and serial numbers, including license plate numbers
  11. Device identifiers and serial numbers
  12. World Wide Web Universal Resource Locators (URLs)
  13. Internet Protocol (IP) address numbers
  14. Biometric identifiers, including finger and voice prints
  15. Full face photographic images and comparable images
  16. Any other unique identifying number, characteristic, or code (this   does prohibit including in each de-identified record a code to permit the record to be re-identified by use of a key).
  1. Regardless of which method is used, information is not de-identified if HBC has

actual knowledge that the information could be used alone, or in combination with other information, to identify an individual who is a subject of the information.  (An example of how an individual might be identified even after removal of all identifying information is an unusual wound reported in a local newspaper.  Someone with a de-identified record containing a description of the wound would know the patient’s identity from the newspaper account.)

  1. Any key that may be used to re-identify the information will be afforded the same protection as would apply to individually identifiable health information.  Once de-identified information is reunited with its re-identification key, it will be treated as protected health information.  A re-identification key may not be derived from identifiers (for instance, a client identifier that is a concatenation of date of birth and social security number is not allowed).
  2. De-identified health information may not be created until approved by the Privacy Official.  De-identified health information may be used and disclosed only in accordance with the uses and disclosures described in the written request as approved by the Privacy Official.

Scope/Applicability:

All protected health information, excluding: instances where the client has provided written authorization for the specific disclosure, or when information is disclosed as require by law, accreditation process, for uses by business associates, or by subpoena.

Regulatory Reference:

45 CFR  §§ 164.514(a) De-identification of protected health information, (b) Requirements for de-identification of protected health information and (c) re-identification, 164.502(d) Uses and Disclosures of de-identified health information.

Definitions:

Individually identifiable health information is health information including demographic information, that is collected from an individual by a covered entity or employer; which relates to the past, present, or future physical, or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for healthcare to an individual; and that identifies the individual or where it is reasonable to believe the information can be used to identify the individual.

Client means any individual about whom the covered entity has created or received individually identifiable health information.

De-identified protected health information is information that does not identify a specific individual, and for which there is no reasonable basis to believe that the information can be used to identify an individual.

Disclosure with respect to individually identifiable health information, is information, including demographic information, collected from an individual, that

  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected health information is individually identifiable health information that is transmitted or maintained by a covered entity in any form or medium.

Health plan.  Brief definition:  “Health plan” means an individual or group plan that provides, or pays the cost of, medical care.

Renewal/Review:

This policy is to be reviewed annually to determine if the policy complies with current HIPAA Privacy regulations.  In the event that significant related regulatory changes occurs, the policy will be reviewed and updated as needed.

Policy Authority/Responsible Department:

HBC owners and officers are responsible for enforcement of this policy and for answering any questions regarding the policy.

If you have questions or comments or concerns pertaining to this document you may contact us in writting by using the following information:

COMPANY NAME:  Heritage Companies

ADDRESS 7926 East 171st Street

CITY, STATE ZIP Belton, MO 64012

PHONE (816) 322 6350

EMAIL   policy@heritagekc.com

CONTACT DEPARTMENT:    Human Resources

© copyright 2011 Heritage Companies Privacy Policy Site Map SEO & Marketing by SmitCo Web Marketing - Website Design by PK Web Designs