Code of Federal Regulations (Last Updated: November 8, 2024) |
Title 42 - Public Health |
Chapter I - Public Health Service, Department of Health and Human Services |
SubChapter A - General Provisions |
Part 3 - Patient Safety Organizations and Patient Safety Work Product |
Subpart C - Confidentiality and Privilege Protections of Patient Safety Work Product |
§ 3.212 - Nonidentification of patient safety work product.
-
§ 3.212 Nonidentification of patient safety work product.
(a) Patient safety work product is nonidentifiable with respect to a particular identified provider or a particular identified reporter if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider or reporter; and
(ii) Documents the methods and results of the analysis that justify such determination; or
(2)
(i) The following identifiers of such provider or reporter and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers or reporters are removed:
(A) The direct identifiers listed at § 3.206(b)(4)(iv)(A)(1) through (13) of this subpart;
(B) Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people;
(C) All elements of dates (except year) for dates directly related to a patient safety incident or event; and
(D) Any other unique identifying number, characteristic, or code except as permitted for re-identification; and
(ii) The provider, PSO or responsible person making the disclosure does not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter.
(3) Re-identification. A provider, PSO, or responsible person may assign a code or other means of record identification to allow information made nonidentifiable under this section to be re-identified by such provider, PSO, or responsible person, provided that:
(i) The code or other means of record identification is not derived from or related to information about the provider or reporter and is not otherwise capable of being translated so as to identify the provider or reporter; and
(ii) The provider, PSO, or responsible person does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.
(b) Patient safety work product is non-identifiable with respect to a particular patient only if the individually identifiable health information regarding that patient is de-identified in accordance with the HIPAA Privacy Rule standard and implementation specifications for the de-identification at 45 CFR 164.514(a) through (c).