De-identification removes identifiers, such as personal names and social security numbers, from health data. This limits risk exposure to individuals, thereby supporting secondary use of data. PHI data should be de-identified whenever possible before sharing outside of UCSF. In addition, you will need an appropriate data sharing contract that is executed with your non-UCSF partner. (Note a contract is required for sharing both identified and de-identified health data outside of UCSF.)
Services
The following services are available to help you de-identify data.
- Academic Research Systems is available to consult with you about your data, however, you will need to use an external company for the certification, if required. Important Note: You will need to pay for the certification. UCSF IT recommends ArcherHall LLC for De-Identification Certification, but there are others.
- UCSF Data Resources provides de-identification resources, guidance, and tools.
- The Dept. of Health and Human Services' de-identification guideline provides guidance about methods and approaches to de-identify PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
- UCSF REDCap is a web-based, HIPAA-compliant system for building and managing web-based research projects, such as surveys and databases, available to UCSF researchers and collaborators. REDCap provides de-identification options such as removing known identifier fields, date shifting, and hashing of the record names.
Directions
- Follow the Dept. of Health and Human Services' de-identification guideline to determine and follow a de-identification method.
- Use UCSF REDCap to de-identify data in accordance with the HHS guideline.
Support
For questions or advice on data de-identification, schedule a data management consultation.
If you have questions related to HIPAA, visit HIPAA Requirements.