Chapter 2 – Patients’ Entitlements and Responsibilities

2.2.8 De‑Identification of Patient Information and Use of Limited Data Sets

• Policy

  • California Correctional Health Care Services (CCHCS) workforce members may use and disclose health information as appropriate without authorization if CCHCS workforce members or another entity has taken steps to de-identify the health information consistent with the requirements and restrictions of this policy unless restricted or prohibited by federal or state law. CCHCS workforce members may use or disclose a Limited Data Set (LDS) if a Data Use Agreement (DUA) is obtained.

• Purpose

  • To provide guidance regarding standards under which patient information may be used and disclosed after information that can identify a person has been removed or restricted to an LDS.

• Responsibility

  • The Chief Privacy Officer shall have oversight of this policy to comply with privacy laws, policies, and standards for respecting the rights of individuals concerning the collection, use, and disclosure of Protected Health Information (PHI) maintained by CCHCS.

• De-Identification of Patient Information

  • Requirements

  • Patient health information is sufficiently de-identified so it cannot be used to identify the patient only if:

    • Done by CCHCS workforce members with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

      • Applying such principles and methods, determines that there is minimal risk the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.

      • Documents the methods and results of the analysis that justify such determination.

    • CCHCS workforce members have ensured the following identifiers of the patient or of relatives, employers, and household members of the patient are removed:

      • Names.

      • All geographic subdivisions smaller than a State including street address, city, county, precinct, zip code, and their equivalent geocodes.  However, the initial three digits of a zip code may remain on the information if, according to current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contain more than 20,000 people; and the initial three digits for all such geographic unit containing 20,000 or fewer people is changed to 000.

      • All elements of dates (except year) directly relating to the patient, including birth date, dates of admission and discharge from a health care facility, and date of death.  For persons aged 90 and older, all elements of dates (including year) that would indicate such age must be removed, except that such ages and elements may be aggregated into a single category of “aged 90 or older.”

      • Telephone numbers.

      • Fax numbers.

      • Electronic mail addresses.

      • Social security numbers.

      • Health record numbers.

      • Health plan beneficiary numbers.

      • Account numbers.

      • Certificate or license numbers.

      • Vehicle identifiers and serial numbers, including license plate numbers.

      • Device identifiers and serial numbers.

      • Web URLs.

      • IP address numbers.

      • Biometric identifiers including fingerprints and voiceprints.

      • Full face photographic images and any comparable images.

      • Any other unique identifying number, characteristic, or codes, except as permitted under section (d)(2)(A) and (B).

    • CCHCS workforce members have no actual knowledge the information could be used alone or in combination with other information to identify the patient who is the subject of the information.

  • Re-identification

    • CCHCS workforce members may assign a code or other means of record identification to allow information de-identified under this policy to be re-identified provided that:

    • The code or other means of record identification is not derived from or related to information about the patient and cannot otherwise be translated to identify the patient.

    • CCHCS workforce members do not use or disclose the code or other means of record identification for any other purpose and does not disclose the mechanism for re-identification.

• Use of Limited Data Sets

  • Contents of a Data Use Agreement

    • CCCHCS workforce members may disclose an LDS only if the receiving entity enters a written DUA agreement with CCHCS.  A DUA is to ensure such entity shall use or disclose the PHI only as specified in the written agreement and it is only for the purposes of research, public health, or health care operations.  A DUA between CCHCS and the recipient of the LDS must:

    • Specify the permitted uses and disclosures of such information by the LDS recipient.  CCHCS workforce members shall not use the DUA to authorize the LDS recipient to use or further disclose the information in a manner that would violate the requirements of this policy.

    • Specify who is permitted to use or receive the LDS.

    • Specify that the LDS recipient shall:

      • Not use or further disclose the information other than as specified in the DUA or as otherwise required by law.

      • Use appropriate safeguards to prevent use or disclosure of the information other than as specified in the DUA.

      • Report to CCHCS when the recipient becomes aware of any use or disclosure of the information not specified in its DUA with CCHCS.

      • Ensure any CCHCS workforce members to whom it provides the LDS agree to the same restrictions and conditions that apply to the LDS recipient with respect to such information.

      • Not identify the information or contact the patient whose data is being disclosed.

  • Compliance

    • CCHCS workforce members are in compliance with the LDS standard if they are aware of a pattern of activity or practice of the LDS recipient that constitutes a material breach or violation of the DUA and takes reasonable steps to cure the breach or end the violation. If CCHCS workforce members are unable to cure the breach or end the violation, they shall:

    • The Privacy Office shall report the problem to the Secretary of the U.S. Department of Health and Human Services.

• References

  • Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, Section 164.514 et seq.

  • Health Care Department Operations Manual, Chapter 5, Article 1, Section 5.1.2, California Public Records Act Requests

  • Statewide Health Information Policy Manual, Section 2.2.12, Research

  • Statewide Health Information Policy Manual, Section 2.5.1, De-Identification

  • Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
    https://www.hhs.gov/hipaa/for-professionals/special-topics/de-identification/index.html

  • Statistical Policy Working Paper 22, Report on Statistical Disclosure Limitation Methodology
    https://www.hhs.gov/sites/default/files/spwp22.pdf

  • NIST 800-122, Guide to the Protection of Confidentiality of Personally Identifiable Information
    https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf

• Revision History

  • Effective: 02/2012
    Revised: 12/10/2025