Q&A: General comments and the HIPAA Privacy Rule
Q: I work in a pharmacy. One of the pharmacists the other day said that it was a violation of the HIPAA Privacy Rule to make a comment while working that “we’ve seen a lot of flu cases.” Is this really a violation?
A: No, this is not a HIPAA violation. This is a general comment that does not identify any individual. The HIPAA Privacy Rule allows covered entities to freely share de-identified data of individuals and their relatives, employers, or household members for any of the following 18 specific identifiers:
- Names
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, or ZIP code (the first three digits of the ZIP code may be used if the geographic unit contains more than 20,000 people)
- All elements of dates (except year) for birthdate, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- URLs
- IP address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographs
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.