HIPAA Compliance for Diabetes Registry Data: PHI, De‑identification, and Permitted Uses

Protected Health Information in Diabetes Registries

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is any individually identifiable health information created or received by a covered entity or business associate that relates to health status, care, or payment. In diabetes registries, clinical values become PHI when they can identify a person directly or indirectly.

Typical PHI in a diabetes registry includes direct identifiers and clinical data linked to those identifiers:

• Direct identifiers: names, full addresses, contact details, Social Security numbers, medical record numbers, insurance IDs, and device serial numbers.
• Quasi-identifiers: dates of birth, small-area geographies, rare diagnoses, and unique event patterns that could single out an individual.
• Diabetes-specific data when linked to identifiers: A1C and glucose values, CGM traces, insulin pump and pen logs, medication lists, visit notes, problem lists (e.g., type 1 vs. type 2), complications, and outcomes.

Covered entities and their business associates may use PHI for treatment, payment, and healthcare operations. For research, you generally need individual authorization unless you use de-identified data or a Limited Data Set under a Data Use Agreement—both pathways provide a patient authorization exemption.

De-Identification Methods under HIPAA

HIPAA recognizes two ways to transform PHI into data that are no longer regulated as PHI: the De-identification Safe Harbor and the Expert Determination Method. Either approach, when properly executed, yields de-identified data that fall outside the HIPAA Privacy Rule.

• De-identification Safe Harbor: Remove all 18 designated identifiers and have no actual knowledge that remaining data could identify a person.
• Expert Determination Method: A qualified expert applies accepted statistical or scientific techniques and documents that the risk of re-identification is very small for the intended data, context, and recipients.

Choose Safe Harbor for speed and clarity; choose Expert Determination when you need to retain granular elements (for example, service dates beyond the year, fine-grained geography, or detailed time series such as CGM data) while still achieving a very small re-identification risk.

Safe Harbor De-Identification Criteria

To use the De-identification Safe Harbor, remove these 18 identifiers of the individual or relatives, employers, or household members, and ensure you have no actual knowledge of identifiability:

• Names.
• Geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code, except the initial three digits if the combined area has more than 20,000 people; otherwise use 000.
• All elements of dates (except year) directly related to an individual, including birth, admission, discharge, death; ages over 89 must be grouped as 90 or older.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (e.g., fingerprints, voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code (except a re-identification code that is not derived from PHI and is kept separately).

Applying Safe Harbor to diabetes registries

• Retain only the year for event dates; suppress months and days. Aggregate ages 90+ into a single category.
• Generalize geography (e.g., three-digit ZIPs compliant with the 20,000-person rule) and remove street-level detail.
• Strip device serial numbers from pump/CGM logs and remove direct contact fields from registry extracts.
• Use a non-derivable record key for linkage, stored separately to prevent re-identification.

Expert Determination Approach

The Expert Determination Method relies on a qualified expert to assess data, recipients, and context, and to certify that the likelihood of identifying an individual is very small. This path is ideal when Safe Harbor would overly degrade utility, such as when analyses require month-level dates, precise age, or longitudinal CGM traces.

What the expert typically does

• Profiles re-identification risks (linkage, inference, and singling out) using external data assumptions relevant to diabetes populations.
• Applies transformations—generalization, suppression, k-anonymity, l-diversity, t-closeness, date shifting, noise addition, micro-aggregation, and small-cell rules.
• Validates utility (e.g., A1C trends, hypoglycemia rates) versus privacy risk to ensure analyses remain meaningful.
• Documents methods, residual risk, data recipient controls, and re-check cadence when data or context change.

Permitted Uses of De-Identified Data

Once de-identified under Safe Harbor or Expert Determination, the dataset is not PHI, and HIPAA’s use and disclosure restrictions no longer apply. You have a Patient Authorization Exemption, though contractual promises and other laws may still govern use.

• Research and quality improvement, including benchmarking of A1C control and hypoglycemia rates across sites.
• Public health reporting, population health analytics, and health equity studies at community levels.
• Product and algorithm development, such as training risk prediction or decision-support models.
• Public releases and dashboards, with continued safeguards against small-cell disclosures and re-identification attempts.

Always prohibit re-identification, control downstream sharing, and monitor for misuse as part of governance, even when HIPAA no longer applies.

Limited Data Sets and Restrictions

A Limited Data Set (LDS) is still PHI but excludes specified direct identifiers while allowing certain details—such as dates and broader geography—to remain. Disclosures of an LDS for research, public health, or healthcare operations can proceed without individual authorization if a Data Use Agreement is in place.

What an LDS may include

• Dates related to care and observation (e.g., service, admission, discharge, birth, death).
• Age in exact years, including age 90 and older.
• Geographic information at the city, state, ZIP code, and other non–street-level geocodes.
• Clinical variables essential to diabetes analytics (A1C, CGM summaries, insulin dosing) when direct identifiers are removed.

What must be removed from an LDS

• Names and full postal addresses (other than city, state, ZIP).
• Telephone and fax numbers; email addresses.
• Social Security, medical record, health plan beneficiary, and account numbers.
• Certificate/license numbers; vehicle, device, and serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers and full-face photographs or comparable images.

Because an LDS remains PHI, apply the minimum necessary standard, enforce role-based access, and track disclosures in accordance with your compliance program.

Data Use Agreements Requirements

A Data Use Agreement (DUA) is mandatory for Limited Data Set disclosures and should precisely describe how recipients may handle the data. The DUA is a core control that complements technical de-identification and organizational safeguards.

HIPAA-required DUA terms

• Permitted uses and disclosures of the Limited Data Set (research, public health, healthcare operations) consistent with the HIPAA Privacy Rule.
• Who is permitted to use or receive the data, including authorized agents.
• Recipient obligations to: not use or disclose data beyond the DUA or as required by law; implement safeguards to prevent unauthorized use or disclosure; report any known non-compliant use or disclosure; bind agents to the same restrictions; and not re-identify or contact individuals.

Good-practice additions for diabetes registries

• Security controls (encryption, access logs, environment restrictions) and small-cell suppression thresholds for published results.
• Provisions for data retention, destruction, audits, incident response, and model transparency when data train algorithms.
• Clear rules for linkage keys and prohibition on combining with prohibited external datasets.

Summary

HIPAA compliance for diabetes registry data centers on correctly classifying PHI, choosing an appropriate de-identification path, and governing downstream use. Safe Harbor offers clarity; the Expert Determination Method preserves utility with documented risk control. De-identified data enjoy a patient authorization exemption, while Limited Data Sets require a DUA with strict safeguards.

FAQs.

What constitutes PHI in a diabetes registry?

PHI is any diabetes-related information that can identify a person, such as names, contact details, exact addresses, medical record numbers, device serials, and clinical values (A1C, CGM data, medications) when linked to those identifiers. If the data can reasonably single out an individual, it is PHI under the HIPAA Privacy Rule.

How does the Safe Harbor method ensure de-identification?

Safe Harbor requires removal of 18 specific identifiers—including names, granular geography, all date elements except year, contact numbers, account numbers, device IDs, photos, and more—and confirmation that you have no actual knowledge that remaining data could identify someone. After these steps, the dataset is considered de-identified.

When is an expert determination required for data de-identification?

Use an expert determination when you need to keep elements that Safe Harbor disallows (e.g., month-level dates, precise ages, or detailed CGM traces) or when unique patterns might still enable identification. A qualified expert must document that the re-identification risk is very small given the data, recipients, and safeguards.

What are the permitted uses of de-identified diabetes registry data?

De-identified data are not PHI, so you may use and disclose them without individual authorization for research, public health analytics, quality improvement, benchmarking, and developing or validating models and tools. Contracts and ethical commitments should still prohibit re-identification and control downstream sharing.