The following is an extract from the document dated April 11, 2003. It can be found on the website for the CDC, www.cdc.gov . Based upon this definitional extract, the services provided by www.PsychBedFinder.com do not fall within the guidelines defining Personal Health Information (PHI). However, all reasonable efforts have been taken to ensure that information and activity contained by or transacted with www.PsychBedFinder.com is safeguarded.
Types of Health Information Protected Health Information The Privacy Rule protects certain information that covered entities use and disclose. This information is called protected health information (PHI), which is generally individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to
If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information.
De-identified data (e.g., aggregate statistical data or data stripped of individual identifiers) require no individual privacy protections and are not coveredby the Privacy Rule. De-identifying can be conducted through box3' statistical de-identification --- a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information or the safe-harbor method --- a covered entity or its business associate de-identifies information by removing 18 identifiers (see Box 2 below) and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject In certain instances, working with de-identified data may have limited value to clinical research and other activities. When that is the case, a limited data set may be useful.
Health information in a limited data set is not directly identifiable, but may contain more identifiers than de-identified data that has been stripped of the 18 identifiers (See Box 3 below) A data-use agreement must establish who is permitted to use or receive the limited data set, and provide that the recipient will not use or disclose the information other than as permitted by the agreement or as otherwise required by law; use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement; report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware; ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and not attempt to re-identify the information or contact the individual.
