ContextQMD
Back to Claude Scientific Skills

HIPAA Compliance Checklist for Clinical Reports

scientific-skills/clinical-reports/assets/hipaa_compliance_checklist.md

2.38.011.5 KB
Original Source

HIPAA Compliance Checklist for Clinical Reports

18 HIPAA Identifiers - De-identification Checklist

Verify that ALL of the following identifiers have been removed or altered:

  • 1. Names - Patient name, family members, healthcare providers (unless necessary and consented)

  • 2. Geographic subdivisions smaller than state

    • No street addresses
    • No cities (unless >20,000 population and part of ZIP can be kept if >20,000)
    • No counties
    • First 3 digits of ZIP code acceptable only if geographic unit >20,000 people
    • All other portions of ZIP codes removed

  • 3. Dates (except year)

    • No exact dates of birth (year only acceptable; year of birth for those >89 must be aggregated)
    • No admission dates
    • No discharge dates
    • No dates of service
    • No dates of death
    • Use relative time periods (e.g., "3 months prior") or years only

  • 4. Telephone numbers

    • No phone numbers of any kind
    • Including patient, family, provider contact numbers

  • 5. Fax numbers

    • No fax numbers

  • 6. Email addresses

    • No email addresses for patient or related individuals

  • 7. Social Security numbers

    • No SSN or partial SSN

  • 8. Medical record numbers

    • No MRN, hospital ID, or clinic numbers
    • Use coded study ID or case number if needed

  • 9. Health plan beneficiary numbers

    • No insurance ID numbers
    • No policy numbers

  • 10. Account numbers

    • No billing account numbers
    • No financial account information

  • 11. Certificate/license numbers

    • No driver's license numbers
    • No professional license numbers (unless for author credentials)

  • 12. Vehicle identifiers and serial numbers

    • No license plate numbers
    • No VIN numbers

  • 13. Device identifiers and serial numbers

    • No pacemaker serial numbers
    • No implant device serial numbers
    • Generic device description acceptable (e.g., "implantable cardioverter-defibrillator")

  • 14. Web URLs

    • No personal websites
    • No URLs identifying individuals

  • 15. IP addresses

    • No IP addresses

  • 16. Biometric identifiers

    • No fingerprints
    • No voiceprints
    • No retinal scans
    • No other biometric data

  • 17. Full-face photographs and comparable images

    • No full-face photographs without consent
    • Crop or blur faces if showing
    • Remove identifying features (jewelry, tattoos, birthmarks if not clinically relevant)
    • Black bars over eyes NOT sufficient
    • Ensure no reflection or background identification

  • 18. Any other unique identifying characteristic or code

    • No unique characteristics that could identify individual
    • No rare disease combinations that could identify
    • Consider if combination of remaining data points could identify individual

Additional De-identification Considerations

Ages and Dates

  • Patients aged ≤89: Exact age or age range acceptable
  • Patients aged >89: Must be aggregated to "90 or older" or ">89 years"
  • Dates: Use only years OR use relative time periods
    • Example: "3 months prior to presentation" instead of "on January 15, 2023"
    • Example: "admitted in 2023" instead of "admitted on March 10, 2023"

Geographic Information

  • State or country is acceptable
  • Removed specific cities (unless population >20,000 and no other identifying information)
  • Removed hospital/clinic names
  • Use general descriptors: "a community hospital in the Midwest" or "a tertiary care center"

Rare Conditions and Combinations

  • Consider if very rare disease alone could identify patient
  • Consider if combination of:
    • Age + diagnosis + geographic area + timeframe could identify patient
  • May need to be vague about certain unique details
  • Balance between providing clinical information and protecting privacy

Images and Figures

  • All patient identifiers removed from image headers/metadata
  • DICOM data stripped
  • Dates removed from images
  • Medical record numbers removed
  • Faces cropped, blurred, or obscured
  • Identifying marks removed or obscured:
    • Tattoos
    • Jewelry
    • Birthmarks or unique scars (if not clinically relevant)
  • Scale bars and annotations do not contain identifying information
  • Background environment de-identified (room numbers, nameplates, etc.)

Voice and Video

  • No audio recordings with patient voice (unless consent obtained)
  • No video showing identifiable features (unless consent obtained)
  • If video necessary, face must be obscured

Informed Consent Checklist (for Case Reports/Publications)

  • Informed consent obtained BEFORE publication submission
  • Consent obtained from patient directly (if capable)
  • If patient deceased or incapacitated, consent from legal representative or next of kin
  • For pediatric cases, parental/guardian consent obtained

The informed consent form must include:

  • Purpose of publication (education, medical knowledge)
  • What will be published (case details, images, outcomes)
  • Journal or publication venue (if known)
  • Open access vs. subscription (public availability)
  • De-identification efforts explained
  • Potential for re-identification acknowledged
  • No effect on clinical care
  • Right to withdraw consent (timing limitations)
  • Contact information for questions
  • Patient signature and date
  • Witness signature (if required)
  • Signed consent form on file
  • Copy provided to patient
  • Consent available for editor review
  • Statement in manuscript confirming consent obtained

Example statement for manuscript: "Written informed consent was obtained from the patient for publication of this case report and any accompanying images. A copy of the written consent is available for review by the Editor-in-Chief of this journal on request."

Safe Harbor vs. Expert Determination

Safe Harbor Method

  • All 18 identifiers removed
  • No actual knowledge that remaining information could identify individual
  • Most straightforward method
  • Recommended for most clinical reports

Expert Determination Method

  • Qualified statistician/expert determined very small re-identification risk
  • Methodology documented
  • Analysis methods specified
  • Conclusion documented
  • May allow retention of some data elements
  • Requires statistical expertise

Method used: [ ] Safe Harbor [ ] Expert Determination

Minimum Necessary Standard

Use and Disclosure

  • Only minimum PHI necessary for purpose is used
  • Purpose of disclosure clearly defined
  • Limited to relevant information only
  • Consider de-identified data or limited data set as alternatives

Exceptions to Minimum Necessary

Minimum necessary does NOT apply to:

  • Treatment purposes (providers may need full information)
  • Patient-authorized disclosures
  • Disclosures required by law
  • Disclosures to HHS for compliance investigation

Authorization for Use/Disclosure of PHI

When Authorization Required

Authorization needed for:

  • Research (unless IRB waiver granted)
  • Marketing purposes
  • Sale of PHI
  • Psychotherapy notes
  • Uses beyond treatment, payment, operations (TPO)

Authorization Elements

If authorization required, it must include:

  • Specific description of PHI to be used/disclosed
  • Person(s) authorized to make disclosure
  • Person(s) to receive information
  • Purpose of disclosure
  • Expiration date or event
  • Right to revoke and how
  • Right to refuse to sign
  • Potential for re-disclosure by recipient
  • Patient signature and date

Limited Data Set

Limited Data Set Option

A limited data set removes 16 of 18 identifiers but may retain:

  • Dates (admission, discharge, service, birth, death)
  • Geographic information (city, state, ZIP code)

Requirements for Limited Data Set

  • Data Use Agreement (DUA) required
  • DUA specifies permitted uses
  • Only for research, public health, or healthcare operations
  • Recipient agrees not to re-identify
  • Recipient agrees to safeguard data

Security Safeguards Checklist

Administrative Safeguards

  • Security management process in place
  • Workforce security measures
  • Access management (role-based)
  • Security training for workforce
  • Incident response procedures

Physical Safeguards

  • Facility access controls
  • Workstation use policies
  • Workstation security measures
  • Device and media controls
  • Secure disposal procedures

Technical Safeguards

  • Access controls (unique user IDs, passwords)
  • Audit controls and logging
  • Integrity controls
  • Transmission security (encryption)
  • Automatic logoff after inactivity

Breach Notification Checklist

If Unauthorized Disclosure Occurs

  • Determine if breach occurred (unauthorized access/use/disclosure)
  • Assess risk of harm to individual
  • If breach affects <500 individuals:
    • Notify individual within 60 days
    • Report to HHS annually
  • If breach affects ≥500 individuals:
    • Notify individuals within 60 days
    • Notify HHS within 60 days
    • Notify media if affects ≥500 in a state/jurisdiction
  • Document breach and response
  • Implement corrective action

Breach Notification Content

Notification must include:

  • Description of breach
  • Types of information involved
  • Steps individuals should take
  • What organization is doing
  • Contact for questions

Research-Specific Compliance

IRB/Privacy Board Considerations

  • IRB approval obtained (if research)
  • HIPAA authorization obtained OR waiver granted
  • Waiver justification documented:
    • Minimal risk to privacy
    • Research cannot practically be conducted without waiver
    • Research cannot practically be conducted without PHI
    • Plan to protect identifiers
    • Plan to destroy identifiers when appropriate

Clinical Trial Reporting

  • Subject identified by ID number only
  • No names in regulatory submissions
  • Initials only if required by regulatory authority
  • Dates limited to year or relative time
  • Protocol includes privacy protections

Special Populations

Pediatric Cases

  • Parent/guardian consent obtained
  • Child assent obtained (if age-appropriate)
  • Extra care with identifiable photos
  • School information removed

Deceased Patients

  • HIPAA protections apply for 50 years post-death
  • Next of kin consent for publication
  • Autopsy information de-identified

Mental Health and Substance Abuse

  • Extra protections under 42 CFR Part 2
  • Explicit consent for disclosure
  • Cannot re-disclose without consent

Final Compliance Verification

Reviewed by: ____________________
Date: ____________________
Signature: ____________________

Compliance Status: [ ] Compliant [ ] Needs revision [ ] Not compliant

Issues identified:

  1. [Issue]
  2. [Issue]

Corrective actions:

  1. [Action]
  2. [Action]

Re-review required: [ ] Yes [ ] No
Re-review date: ____________________

Documentation to Maintain

Keep on file:

  • Signed patient consent (if applicable)
  • IRB approval (if research)
  • HIPAA waiver (if applicable)
  • De-identification verification
  • Data use agreement (if limited data set)
  • Authorization forms (if applicable)
  • Training records for personnel handling PHI
  • Audit logs

Retention period: Minimum 6 years per HIPAA requirement