HIPAA Rules
Under the HIPAA Omnibus Rule, privacy protections that prevent the release of protected health information apply to a larger group than in the past. Both health care providers and other entities like electronic health record systems or registry vendors must also comply with HIPAA regulations.
What’s Affected
Protected patient information includes anything in the medical or designated record set that can be used to identify an individual. It also includes information created, used or disclosed in the course of providing a health care service, such as diagnosis or treatment.
What this Means for Presenters
You are responsible to ensure your presentation, paper or poster complies with HIPAA regulations.
- You can report on data that may include age, race/ethnicity/gender and geographic locations that meet the limitations above, but the fewer identifiers the better.
- Select only those identifiers most scientifically relevant to your research.
- Only show a patient’s face or enough of the face to identify the patient if you have obtained the appropriate release to do so. You must obtain a signed, written release from the patient or guardian allowing the photo or other image to be used for the purpose of presentation and dissemination.
- Releases for any and all photos that identify the patient must state, “I knowingly waive my privacy rights under HIPAA for the purpose of this agreement.”
Identifiers to Avoid
Avoid using the following in your presentation, paper or poster. They may reveal individual patient identities.
- Names.
- All geographical subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
- Phone numbers.
- Fax numbers.
- Email addresses.
- Social Security numbers.
- Medical record numbers.
- Health plan beneficiary numbers.
- Account numbers.
- Certificate/license numbers.
- Vehicle identifiers and serial numbers, including license plate numbers.
- Device identifiers and serial numbers.
- Website addresses (e.g., http://www.....).
- Internet Protocol (IP) address numbers.
- Biometric identifiers, including finger and voice prints.
- Full-face photographic images and any comparable images.
- Any other unique identifying number, characteristic or code. (Note: This does not mean the unique code assigned by the investigator to code the data.)
NOTE: You and your co-presenters are responsible for HIPAA privacy compliance, not the American Academy of Ophthalmology.