LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 500.04 De-Identification of Protected Health Information and Use of Limited Data Sets
 
  PROCEDURES
  1. Requirements for De-identification of Protected Health Information
     
    1. PHI may be de-identified expert determination: a person with the knowledge and experience with accepted statistical and scientific principles and methods for rendering information not individually identifiable and or Safe Harbor: by removing eighteen (18) specific identifiers of the individual or of the relatives, employers or household members of the individual. The eighteen (18) specific identifiers are:
       
      • Names
      • All geographic subdivisions smaller than a state, including: 
         
        • Street address
        • City
        • County
        • Precinct
        • Zip code and equivalent geocode except if the initial 3 digits of zip code:
           
          1. Represents a geographic unit in which combining all zip codes with the same initials contains more than 20,000 people, and
          2. The initial 3 digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to “000”.
             
      • All elements of dates (except year) directly related to an individual, including:
         
        • Birthdate
        • Admission date
        • Discharge date
        • Date of death, and
        • All ages over 89 (including data elements indicative of such age [including year], except when all ages of 90 or older can be aggregated into a single category.
           
      • Telephone numbers
      • Fax numbers
      • E-mail addresses
      • Social Security numbers
      • Medical record numbers
      • Health plan beneficiary numbers
      • Account numbers
      • Certificate/license numbers
      • Vehicle identifiers and serial numbers (including license plate numbers)
      • Devise identifiers and serial numbers
      • Web Universal Resource Locators (URLs)
      • Internal Protocol (IP) Address numbers
      • Biometric identifiers, including finger/voiceprints
      • Full face photographic images and any comparable images
      • Any other unique identifying number, characteristic or code, except for a code of other means of re-identification as described in Section B. below, and
         
    2. DMH has no actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information.
       
  2. Re-identification Requirements
     
    1. DMH may assign a code or other means of record identification to allow de-identified information to be re-identified provided the following conditions are met:
       
      1. The code or other means of record identification is not derived from or related to information about the individual or capable of being translated.
         
      2. DMH does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism used for re-identification, and
         
      3. DMH determines how and where these codes for re-identification are located and kept secure.
         
    2. Disclosure of the code or other means of record identification is considered a disclosure of PHI. 
       
  3. Requirements for a Limited Data Set
     
    1. A limited data set is information that excludes the following direct identifiers of the individual, or of relatives, employers, or household members of the individual.
       
      • Names
      • Postal address information, other than town, state, and zip code
      • Telephone numbers
      • Fax numbers
      • E-mail addresses
      • Social Security numbers
      • Medical record numbers
      • Health plan beneficiary numbers (such as Medi-Cal numbers)
      • Account numbers
      • Certificate/license numbers
      • Vehicle identifiers and serial numbers, including license plate numbers
      • Web Universal Resource Locators (URLs)
      • Internet Protocol (IP) address numbers
      • Biometric identifiers, including finger and voiceprints
      • Full face photographic images and any comparable images
         
    2. A limited set may retain the following identifiers of the individual, or of the relatives, employers or household members of the individual:
       
      1. Town or city, state and zip code; and
      2. Any element of dates directly related to an individual, including birth date, admission date, discharge date, and date of death.
         
    3. A limited data set may be used or disclosed only for the purposes of research, public health, or health care operations.
       
    4. DMH need not track or account for disclosures of limited data sets in an accounting of disclosures requested by an individual. 
       
  4. Contents of a Data Use Agreement
     
    1. DMH may disclose a limited data set only if the entity receiving the limited data set enters into a written Data Use Agreement with DMH, in accordance with subsection D.2. immediately below, that such entity will use or disclose the Protected Health Information only as specified in the written agreement. 
       
    2. A data use agreement between DMH and the recipient of the limited data set must:
       
      1. Specify who is permitted to use or receive the limited data set.
         
      2. Specify that the limited data set recipient will:
         
        1. Not use or further disclose the information other than as specified in the data use agreement or as otherwise required by law;
        2. Use appropriate safeguards to prevent use or disclosure of the information other than as specified in the data use agreement;
        3. Report to DMH, if DMH is the source of the limited data set, if the recipient becomes aware of any use or disclosure of the information not specified in its data use agreement with DMH;
        4. Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
        5. Not identify the information or contact the individuals whose data is being disclosed.
           
  5. If DMH knows of a pattern of activity or practice of the limited data set recipient that constitutes a material breach or violation of the data use agreement, DMH will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, DMH will:
     
    1. Discontinue disclosure of PHI to the recipient; and
       
    2. Report the problem to the Secretary of the United States Department of Health and Human Services.
       
  6. If DMH receives a limited data set from another covered entity, DMH must abide by the terms of a data use agreement.
     
  7. Document Retention 
     
    1. All documents required to be created or completed under this policy and procedure will be retained for a period of at least six (6) years from the date of its creation or the date when it was last in effect, whichever is later.