Research Use of De-Identified Data

The HIPAA Privacy Rule allows research to be conducted with health information that has been stripped of elements that could identify the subject. However, under HIPAA, the list of “identifiers” is extensive. The following data elements must be stripped for HIPAA de-identification:

  • Names
  • Geographic subdivisions smaller than a state (i.e., no city, no zip code), except for the initial three digits of the zip code if, according to the current publicly available data from the Bureau of the Census, the geographic unit contains more than 20,000 people
  • Any date (except year; i.e., no month or day of month)
  • For subjects older than 89 years of age, specific age may not be mentioned
  • Telephone number
  • Fax number
  • E-mail address
  • Social security number
  • Medical record number
  • Health plan beneficiary number
  • Any other account numbers
  • Certificate or license numbers
  • Vehicle identification number
  • Medical device identification or serial number
  • Personal website URL
  • Internet protocol (IP) address
  • Fingerprint, voiceprint, or other biometric identifiers
  • Full-face photographic images
  • Any other unique identifying number, characteristic, or code

To gain access to de-identified information, the investigator should complete the De-Identified Data form and submit it to the IRB Office. The request will be reviewed and the investigator will receive a statement from the IRB office that can be given to the “covered entities” that are holding the needed protected health information.

To acquire health information from BMC for research purposes, present your approved request form to: Ellen Jamieson, Grants Administration, Gambro 2, 617-414-5646. She will direct you to the source of information you need.


July 29, 2012
Primary teaching affiliate
of BU School of Medicine