You asked: “We are an employee benefits broker and we have a client that is requesting a regular report be provided to them on the various types of customer service we are providing to their employees. They want this report to include the information/situation we have received or are working on for the employee, with the exception of the employee’s name and/or dependent’s names. If we provide them with the personal information/notes we have collected from the employee are we breaking any type of HIPAA regulation, even though the basic identification information is not being provided?”
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is complex, at best. Without more specific details about your situation, I can’t give you a definitive answer. However, you may find the following information helpful. . . .
According to the U.S. Department of Health and Human Services (HHS), there are no restrictions on the use or disclosure of de-identified health information. De-identified information neither identifies nor provides a reasonable basis to identify an individual.
Is it reasonable to assume the employer will not be able to identify the employee, even with basic identifiers removed? If so, what must be removed to consider the information de-identified? HHS says, “There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used alone or in combination with any other information to identify the individual.”
Those specified identifiers, considered Protected Health Information (PHI), are more than just name and address. HHS posts a lengthy list including: name, address (including street, city, county, zip code, and equivalent geocodes), names of relatives, birth date, telephone/fax numbers, e‐mail addresses, social security number, medical records number, health plan beneficiary number, account number, certificate/license number, any vehicle or other device serial number, URL, Internet Protocol (IP) address number, finger or voice prints, photographic images, or any other unique identifying number, character, or code.
For more information on HIPAA regulations, visit the HHS website by clicking here.
Don’t forget to send your questions to firstname.lastname@example.org. If you’d like email notification of all blog updates, just click the follow button at the bottom of the window.
The information provided on this web site is for informational purposes only and not for the purpose of providing legal advice. Use of and access to this Web site do not create an attorney-client relationship between East Coast Risk Management or Cara Mia Londino and the user or browser.