MARCH 2026 | 29 THE OKLAHOMA BAR JOURNAL Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff. knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is a subject of the information.”24 Essentially, if the covered entity is not aware that the de- identified information can be used, alone or in conjunction with other data, to identify an individual, then it will likely not have “actual knowledge” of a de-identification risk. Both de-identification methods yield data that retains some risk of identification. Yet, regardless of the method, the privacy rule does not restrict the use or disclosure of de-identified health information because the de-identified data is no longer considered PHI under HIPAA.25 Data sets de-identified under HIPAA regulations may therefore be used for purposes unrelated to treatment, payment or health care operations. OTHER CONSIDERATIONS This article provides a brief overview of HIPAA compliance risk associated with AI-related processing. It does not substantively address contractual and other regulatory risks related to AI processing of health information. Contractual obligations between or among covered entities, business associates and subcontractors may either prohibit de-identification altogether or condition de- identification on consent of an upstream entity, such as the covered entity. Such restrictions may be contained in the parties’ business associate agreement or in the substantive services agreement. For example, many private payors place restrictions on a data recipient’s ability to de-identify data. Many health information exchanges, which are used to exchange PHI between covered THE SAFE HARBOR METHOD The “safe harbor” method requires the removal of 18 specific identifiers in combination with a covered entity having no “actual knowledge” that any remaining information could be used to re-identify an individual (see endnote 22). The identifiers are: 1) Names; 2) Geographic subdivisions smaller than a state (street address, city, county, precinct, zip code, equivalent geocodes) except for the initial three digits of a zip code, subject to geographic units above or below 20,000 people; 3) All elements of dates except year directly related to an individual (birth, admission, discharge, death) and all ages over 89, including all elements of dates indicative of age, except such ages and elements may be aggregated into a category of 90 or older; 4) Phone numbers; 5) Fax numbers; 6) Email addresses; 7) Social security numbers; 8) Medical record numbers; 9) Health plan beneficiary numbers; 10) Account numbers; 11) Certificate/license numbers; 12) Vehicle identifiers and serial numbers, including license plates; 13) Device identifiers and serial numbers; 14) URLs; 15) IP addresses; 16) Biometric identifiers, including voice and fingerprints; 17) Full-face photographic images and comparable images; and 18) Any other unique identifying numbers, characteristics or codes.
RkJQdWJsaXNoZXIy OTk3MQ==