A hospital is preparing a file of treatment information for the state of California.
This file is to be sent to external medical researchers. The hospital has removed SSN, name, phone and other information that specifically identifies an individual. However, there may still be data in the file that potentially could identify the individual. Can the hospital claim ‘safe harbor” and release the file to the researchers?
- A: Yes the hospital’s actions satisfy the “safe harbor” method of de-identification.
- B: No - a person with appropriate knowledge and experience must determine that the information that remains can identify an individual.
- C: No - authorization to release the information is still required by HIPAA.
- D: No - to satisfy “safe harbor the hospital must also have no knowledge of a way to use the remaining data to identify an individual.
- E: Yes - medical researchers are covered entities and “research” is considered a part of “treatment” by HIPAA.