HIPAA Compliance for Postpartum Depression Registry Data: What Counts as PHI and How to Share Safely

Definition of Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information that relates to a person’s health status, care, or payment and is created or received by a covered entity or its business associate. If a data point can reasonably identify a mother, infant, or family when combined with other fields, it is PHI.

For a postpartum depression registry, PHI commonly includes screening results (for example, EPDS or PHQ-9 scores), diagnoses, medication and therapy details, encounter and delivery dates, patient and caregiver contact information, insurance details, and any identifiers that could tie these data to a specific individual. Notes that reference unique life events (a rare complication on a specific date at a small facility) can also be identifying when linked with location or time.

Purely aggregate statistics (for example, system-wide monthly counts) that cannot be tied to an individual are not PHI. However, whenever a record contains direct identifiers or a combination of quasi-identifiers that could single someone out, it must be handled as PHI.

De-Identification Methods for Registry Data

De-Identification Safe Harbor

The De-Identification Safe Harbor requires removing all 18 direct identifiers and having no actual knowledge that remaining information could identify a person. For registry extracts, remove:

• Names.
• Geographic subdivisions smaller than a state (street, city, county, precinct, full ZIP); you may keep the initial three ZIP digits only if the combined area has more than 20,000 people, otherwise replace with 000.
• All elements of dates (except year) directly related to an individual (birth, admission, discharge, death, visit); aggregate ages over 89 into a single “90 or older” category.
• Telephone and fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (finger or voice prints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Under Safe Harbor, you may assign a re-identification code for internal linkage so long as it is not derived from PHI and the re-identification mechanism is not disclosed. Validate that narrative fields and free text do not inadvertently reveal identities.

Expert Determination Method

The Expert Determination Method uses a qualified expert to document that the risk of re-identification is very small given the data, context, and anticipated recipients. For a postpartum depression registry, the expert typically evaluates quasi-identifiers (for example, delivery year, three-digit ZIP, parity, provider type), applies techniques like generalization, suppression, perturbation, and small-cell masking, and justifies residual risk thresholds. Maintain the expert’s report, transformation rules, and release conditions as part of your governance record.

Registry-Specific Pitfalls

• Small populations and narrow time windows around delivery can re-identify individuals; widen time bands or coarsen locations.
• Free-text notes often include names, facilities, or rare scenarios; redact and consider structured fields.
• Be cautious with persistent device or app identifiers captured during digital screening; treat them as identifiers.
• Suppress or aggregate small cells when publishing tables to avoid singling out patients.

Utilizing Limited Data Sets

A Limited Data Set (LDS) is PHI stripped of direct identifiers but allowed to retain certain elements useful for analysis. An LDS may include dates (for example, delivery, screening, follow-up), city, state, ZIP code, and other non-direct identifiers. It must exclude names, full addresses, phone/fax numbers, email, SSN, medical record numbers, health plan numbers, account numbers, certificate/license numbers, vehicle and device identifiers, URLs, IP addresses, biometric identifiers, and full-face photographs.

You may disclose an LDS for research, public health, or health care operations. Typical postpartum depression registry uses include tracking screening timeliness by ZIP code, analyzing time from delivery to referral, or evaluating outcomes across facilities while preserving Mental Health Information Privacy.

Even with an LDS, share only the minimum necessary to achieve the purpose, and never attempt to re-identify or contact individuals.

Requirements for Data Use Agreements

When disclosing a Limited Data Set to an external recipient, you must execute a Data Use Agreement (DUA). A compliant DUA should:

• Describe permitted uses and disclosures (for example, research objective, evaluation metrics).
• Identify who is authorized to use or receive the LDS.
• Prohibit re-identification and contact with individuals.
• Require appropriate safeguards, including access controls, secure storage, and breach reporting.
• Bind agents and subcontractors to the same restrictions.
• Require the recipient to report any inappropriate use or disclosure and to mitigate harm.
• Specify return or destruction of the data at project end, if feasible.

A DUA differs from a Business Associate Agreement (BAA). A BAA is needed when a vendor handles PHI on your behalf (for example, hosting your registry). A DUA governs how an external party may use an LDS for defined purposes. Some relationships require both.

Guidelines for Sharing PHI in Treatment

HIPAA permits sharing PHI for treatment without patient authorization. For postpartum depression, you may exchange relevant information with mental health professionals, obstetric and primary care teams, emergency departments, and pediatricians when necessary to coordinate maternal–infant care. The minimum necessary rule does not apply to disclosures for treatment, but you should still limit information to what is clinically pertinent.

Psychotherapy notes receive special protection and generally require the patient’s authorization for disclosure. You may share information with family or caregivers when the patient agrees or, if the patient is incapacitated, when in the patient’s best interest using professional judgment. You may disclose information to prevent a serious and imminent threat to health or safety.

Substance use disorder records may be subject to additional federal confidentiality rules. If such information is part of the registry, apply the stricter standard before sharing.

HIPAA-Compliant Messaging Platforms

When discussing registry participants or coordinating referrals, use HIPAA-Compliant Messaging. Select platforms that support encryption in transit and at rest, unique user authentication, role-based access, audit logs, remote wipe, and automatic logoff. Execute a BAA with the vendor before transmitting any PHI.

Operational safeguards matter as much as technology. Disable lock-screen message previews, verify recipient identity before sending, avoid PHI in message subjects, and route sensitive attachments through secure portals. Document retention settings so clinical messages that form part of the medical record are captured according to policy.

Do not use standard SMS, personal email, or consumer chat apps for PHI unless they are part of an approved, secured, and contracted solution.

Sharing Mental Health Information Safely

Apply a privacy-by-design approach to Mental Health Information Privacy. Segment psychotherapy notes, restrict registry access to a need-to-know basis, and train staff to avoid unnecessary details in free text. Use standardized codes and scales instead of narratives whenever possible.

Before sharing, confirm the purpose (treatment, operations, research), the lawful pathway (authorization, exception, Limited Data Set), and the recipient’s role (covered entity, business associate, external researcher). Record your decision and follow the minimum necessary principle for non-treatment uses.

For external reporting or publications, prefer de-identified data under the De-Identification Safe Harbor or an Expert Determination Method. Aggregate outcomes across broader geographies and timeframes, and suppress small cells that could reveal identities.

FAQs

What information in postpartum depression registry data is considered PHI?

Any data that can reasonably identify a mother or infant and relates to health or care is PHI. That includes screening scores tied to an individual, diagnoses, medications, encounter and delivery dates, contact details, insurance information, and any direct identifiers. Free-text notes that reference unique events or people become PHI when they enable identification.

How can postpartum depression registry data be de-identified under HIPAA?

Use the De-Identification Safe Harbor by removing the 18 direct identifiers and ensuring no actual knowledge of re-identification risk, or use the Expert Determination Method, where a qualified expert documents that the re-identification risk is very small after applying techniques like generalization, suppression, and small-cell masking. Maintain documentation of the method used and perform quality checks on narrative fields.

When is a Data Use Agreement required for sharing registry data?

A Data Use Agreement is required when you disclose a Limited Data Set—PHI without direct identifiers but retaining dates or broad geography—to an external recipient for research, public health, or health care operations. The DUA must specify permitted uses, identify authorized users, prohibit re-identification and contact, require safeguards, and address return or destruction of data.

How does HIPAA regulate sharing mental health information for treatment?

HIPAA allows sharing PHI for treatment without patient authorization, including coordination among mental health, obstetric, primary care, and pediatric teams. Psychotherapy notes receive extra protection and usually require specific authorization. You may disclose information to family with the patient’s agreement or, if incapacitated, based on professional judgment, and you may disclose to prevent a serious and imminent threat to safety.