Skip to main content
West Virginia University Information Technology Services
Get Help

PHI De-Identification Standard

Standard Number: 1.11.3.9.2
Category: Information Privacy
Owner: Information Technology Services
Effective: August 1, 2022
Revision History: None
Review Date: July 31, 2025

  1. Purpose, Scope, and Responsibilities

    1. Pursuant to the Protected Health Information Privacy Policy, protected health information (“PHI”) data sets that do not identify an Individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an Individual, will be considered De-Identified and are not subject to compliance with HIPAA when being used or disclosed by University Health Care Components (“UHCC”).
    2. The purpose of this Standard is to ensure that there shall be no reasonable basis to believe that any De-Identified PHI disclosed by a UHCC can be used to identify the subject of the PHI (“Individual”). This Standard is based on the requirements within the HIPAA Privacy Rule.
    3. It is the responsibility of UHCC Workforce members who manage or maintain PHI and may be asked to disclose PHI, to ensure PHI is effectively De-Identified pursuant to this Standard prior to disclosing.
    4. Health Sciences Center Privacy Officer, in conjunction with the Chief Information Security Officer, is responsible for implementing and enforcing this Standard.
    5. Senior Management of UHCCs are responsible for ensuring all staff follow the requirements within this Standard.
    6. All Workforce members with authorized access to PHI must follow the requirements outlined in this Standard. Failure to do so may result in appropriate corrective action.

  2. De-Identified Information

    1. The University will consider PHI De-Identified only when the following identifiers of the Individual, their relatives, employers, or household members are removed:
      1. Names;
      2. Geographic subdivisions smaller than a State including street address, city, county, precinct, zip code, and their equivalent geocodes, excepting:
        1. The initial three digits of a zip code if, according to the current available public data from the Bureau of the Census;
        2. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and,
        3. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to “000.”
      3. All elements of dates, except year, for dates directly related to the Individual, including date of birth, admission date, discharge date, date of death, all ages over 89 and all elements of dates, including year, indicative of such age (such ages may be aggregated into a single category of age, e.g. 90 or older);
      4. Telephone Numbers;
      5. Fax Numbers;
      6. Electronic mail addresses;
      7. Social Security numbers;
      8. Medical record numbers;
      9. Health plan beneficiary numbers;
      10. Account numbers;
      11. Certificate/license numbers;
      12. Vehicle identifiers and serial numbers including license plate numbers;
      13. Device identifiers and serial numbers;
      14. Web Universal Resource Locators (“URL”);
      15. Internet Protocol (“IP”) address numbers;
      16. Biometric Identifiers, including finger and voice prints;
      17. Full face photographic images and any comparable images; and,
      18. Any other unique identifying number, characteristic, or code; except as permitted by the Re-Identification section of this document.
    2. The University will also determine health information is de-identified if:
      1. The UHCC does not have actual knowledge that the information could be used alone or in combination with other information to identify an Individual; or,
      2. The Health Sciences Center Privacy and Security Team determines there is minimal risk that the information could be used, alone or in combination with other available information, by an anticipated recipient, to identify an Individual who is a subject of the information and documents the methods and results of the analysis that justify such determination.

  3. Re-Identification

    1. Cross-reference codes or other means of identification may be assigned to data records to allow De-Identified information to be Re-Identified by a UHCC, provided the following:
      1. The cross-reference code or other means of record identification is not derived from or related to information about the Individual (e.g., initials) and cannot be translated to identify the Individual and is stored separately from the de-identified information; and,
      2. The UHCC does not use or disclose the cross-reference code or means of record.

Related Documents

Connect With Us

Service Desk Hours and Contact

Service Desk Hours

Monday – Friday: 7:30 a.m. – 8 p.m.
Saturday and Sunday: Noon – 8 p.m.

Closed on official University holidays.

Contact Us

Information Technology Services
One Waterfront Place
Morgantown, WV 26506

(304) 293-4444 | 1 (877) 327-9260
ITSHelp@mail.wvu.edu

Get Help

Maintenance Schedule

To function effectively and securely, applications and the systems that support them must undergo regularly planned maintenance and updates.

See Schedule