[kosmic_k]

As long as HIPAA rules are followed I don't see an issue. Further more I would argue that the doctors in this case have a moral imperative to inform the public just how harmful these faulty test results have been. It is becoming clear that Theranos has harmed patients and public knowledge of this is crucial to discover more cases and inform those whom may have had medical decisions made on faulty testing.

[dragonwriter]

Unless specifically cleared by a deidentification expert as provided in 45 CFR 164.514(b)(1), this doesn't meet the requirements of HIPAA for deidentification of information derived from PHI, since it does not remove "All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death" [0], in that it includes the specific month of the test.

[0] 45 CFR 164.514(b)(2)(i)(C)

[aub3bhat]

No your interpretation is wrong. Date does not means month. Date contains Day/Month/Year. Here are 2.5 Million raw inpatient visits released by New York State meeting criteria for HIPAA Limited data, as you can see not only do they contain month and year but also day of the week. [1,2]

[1] http://www.hopkinsmedicine.org/institutional_review_board/hi... [2] https://health.data.ny.gov/Health/Hospital-Inpatient-Dischar...

[dragonwriter]

Date consists of day/month/year, yes.

Elements of date other year, what must be removed to meet the blanket, by element test, means both month and date must be removed.

The alternate standard, which is typically used by large scale releases, is review by a professional expert (the specific expertise and determination is in the reg I cited) to validate that they aren't reidentifiable.

Your first link is not what you describe, it's a description of the definition of a limited data set under HIPAA, which can be disclosed for research, public health, and health care operations purposes. It notes that it can include full dates, and also explicitly notes that it is explicitly not considered deidentified, but is still PHI under HIPAA.

Your second link is unrelated to the first, and does contain day of week and year, but I don't see month. In any case, it's the kind of release from the kind of organization that is likely to have professional on staff and not rely on the blanket, by-element deidentification standard. That's not true of most practices and practitioners.

[aub3bhat]

Actually individual physicians who have treated patients have far far lower requirements, otherwise they would not be able to discuss cases with their colleagues and would have a chilling effect on practice of medicine. What the links show is that its considered acceptable even at level of millions of patients.

[ramchip]

I might be missing the obvious, but I don't see any months in the de-identified dataset you linked?

Your second link also says a limited dataset is considered PHI and can only be shared with third party under certain conditions and with a data use agreement.