De-Identification of Information in HIPAA-Compliant Ecommerce – A Quick List for Developers.

As digital platforms and technologies continue to evolve, the health sector has begun to embrace these changes to improve their service delivery. One of the areas experiencing rapid growth is e-commerce in healthcare, including online pharmacies, telemedicine, and the sale of medical devices online. In this context, it is crucial to understand the importance of data privacy and de-identification of information to meet the requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA).

Understanding HIPAA and PHI

HIPAA sets the standard for protecting sensitive patient data in the United States. Any organization dealing with protected health information (PHI) is required by law to have physical, network, and process security measures in place and follow them to ensure HIPAA compliance.

PHI includes a wide range of information, from medical records and laboratory results to billing information. In an e-commerce context, PHI might be transmitted in many ways, such as through online orders, customer service interactions, or payment processes.

The Need for De-Identification

De-identification is a critical process in maintaining HIPAA compliance, especially in e-commerce. It involves removing or obfuscating certain identifiers that can link data to specific individuals, thereby minimizing the risk of unauthorized access or disclosure.

For an e-commerce business dealing with healthcare products or services, it is essential to de-identify any PHI that does not need to be explicitly linked to individuals to conduct business.

What HIPAA Information Needs to Be De-Identified in eCommerce?

HIPAA outlines 18 identifiers that must be removed from PHI to meet the de-identification standard. In the context of healthcare e-commerce, this could include:

1. Names: All personal names, including full names or last names.
2. Geographical identifiers: All geographical information smaller than a state, including street address, city, county, precinct, and ZIP code.
3. Dates: Any dates directly related to an individual, including birth date, admission date, discharge date, or date of death.
4. Phone numbers: Any phone numbers associated with the individual.
5. Fax numbers: Any fax numbers associated with the individual.
6. Email addresses: Any email addresses linked to the individual.
7. Social Security numbers: The individual’s Social Security number.
8. Medical record numbers: Any unique numbers or codes associated with the individual’s medical records.
9. Health insurance beneficiary numbers: Any unique numbers or codes linked to the individual’s health insurance.
10. Account numbers: Any unique numbers or codes linked to the individual’s accounts.
11. Certificate or license numbers: Any unique numbers or codes associated with the individual’s certificates or licenses.
12. Vehicle identifiers and serial numbers: Any unique identifiers linked to a vehicle the individual owns or uses.
13. Device identifiers and serial numbers: Any unique identifiers related to medical devices used by the individual.
14. URLs: Any web Universal Resource Locators (URLs) associated with the individual.
15. IP addresses: Any Internet Protocol (IP) addresses associated with the individual.
16. Biometric identifiers: Any biometric data, such as finger and voice prints, related to the individual.
17. Full face photos and comparable images: Any photos or images that could identify the individual.
18. Any other unique identifying number, characteristic, or code: Any other information that could identify the individual.

It’s important to remember that de-identification doesn’t necessarily mean deleting the information. Instead, it can involve methods like data masking, pseudonymization, or aggregation to remove the link between the data and the individual.

Important! The above merely relates to PHI (Personal Health Information) or ePHI (Electronic Personal Health Information) as it relates to the customer. You may also need to encrypt additional fields as a matter of practice, including:

1. Prescription data.
2. Product Data.
3. Customer Communications.
4. Receipts, packing slips or other items included in an order.

Safeguarding E-commerce Transactions

When processing online transactions, healthcare e-commerce businesses must also consider payment card data, which is regulated by the Payment Card Industry Data Security Standard (PCI DSS), not HIPAA. This standard requires businesses to protect cardholder data, which includes the cardholder’s name, card number, expiration date, and security code.

Conclusion

De-identification of information is an essential step in ensuring the privacy and security of personal health information. For healthcare organizations venturing into e-commerce, understanding and implementing the principles of data de-identification is not only a legal requirement but also a fundamental part of earning and maintaining the trust of their customers.

Healthcare e-commerce businesses need to fully understand their data flows and have robust procedures in place for de-identifying information where necessary. Given the severity of penalties for non-compliance and the potential for reputational damage, these organizations should consider working with knowledgeable legal and cybersecurity professionals to ensure they meet all the necessary requirements.