Developers and HIPAA

Which Dates are considered PHI?

Assuming all other identifiers are removed from the data, which dates are considered PHI? The de-identification standard for safe harbor indicates the following must be removed:

 

"(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older"

 

Do dates such as date of an appointment, date of a prescription, date of a lab test, or even date when someone opened the app need to be removed as well? It is not clear how these elements could be used to identify someone unless the date implied the age or DOB of a person and I would like to better understand which dates need to be removed.

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Voting

1 vote
1 up votes
0 down votes
Question No. 91