Can the device identifier (DI) portion of a Unique Device Identifier (UDI) be part of a limited or de-identified data set as defined under HIPAA?
Yes. A UDI is a unique numeric or alphanumeric code assigned to a device through FDA’s Unique Device Identification System, which is intended to adequately identify medical devices through their distribution and use. A UDI consists of two parts: (1) a device identifier (DI), which is the mandatory, fixed portion of a UDI that corresponds to the model or version of a device; and (2) a production identifier (PI), which is the variable portion of a UDI that identifies one or more of the following when included on the label of a device: lot/batch number, serial number, expiration date, manufacturing date, and donor identification number.
While the HIPAA Privacy Rule prohibits the inclusion of “device identifiers and serial numbers” in both limited data sets, as defined under 45 CFR § 164.514(e)(2), and data sets that are de-identified in accordance with the “de-identification safe harbor” provisions at 45 CFR § 164.514(b)(2), the DI portion of the UDI is not the type of “device identifier” to which these HIPAA Privacy Rule provisions refer. Rather, “device identifier” for purposes of the HIPAA standards for limited and de-identified data sets refers to serial and other numbers assigned to a specific device and thus, that may be uniquely identifying for a particular individual. In contrast, as described above, the DI portion of the UDI is the model or version number of a device, which is not unique to a specific device and thus, is not uniquely identifying to a particular individual. Therefore, the DI portion of a device’s assigned UDI may be used or disclosed as part of a limited data set, subject to the required data use agreement, or de-identified data set, under the HIPAA Privacy Rule.
However, the PI portion of a UDI, which includes a serial number or other numbers that correspond to a specific device, would be a “device identifier” referred to in the HIPAA Privacy Rule provisions and, therefore, may not be included in a limited data set or data set that is de-identified in accordance with the “de-identification safe harbor” provisions at 45 CFR § 164.514(b)(2). Further, other types of device identifiers, including those that correspond to custom devices as defined within 21 CFR § 812.3(b) (devices that are limited to no more than 5 units per year of a particular device type and that are exempt from FDA regulations to bear a UDI), may not be included in a limited data set or data set that is de-identified in accordance with the de-identification safe harbor provisions of the HIPAA Privacy Rule. The PI portion of a UDI or such other device identifiers may only be included as part of a de-identified data set to the extent an expert has determined, in accordance with 45 CFR 164.514(b)(1), that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify individuals.