Wednesday, May 2, 2012

Why Should You Care about Deidentified Information?

According to the HIPAA Security and Privacy standard, your practice is responsible for maintaining the confidentiality of Protected Health Information.  Unfortunately, a number of vendors and other parties want access to your information and are placing the confidentiality of your business information and even your patient information at risk.

Many contracts and Business Associates Agreements include standard language that protects you patient’s Protected Health Information from disclosure.  Indeed, there are a wide range of statutory penalties.  However, deidentified information can be used for other purposes that may not be helpful to your practice or your patients.
Most EHR contracts and a wide range of other service contracts include language that gives the Business Associate wide latitude to use your practice’s deidentified information.  For example, many EHR vendor contracts allow use of deidentified information for purposes and at times of the vendor’s choosing. 

Your practice should have a number of problems with such conditions:

Will the vendor properly deidentify protected health information?
In reality, it is very difficult to properly deidentify protected health information.  In addition to the obvious identifiers such as name, address, SSN, and date of birth, an email address and biometric information also needs to be eliminated.  However, other information that could lead to identifying the patient must also be removed from the record. 

Removal of such information could require a painstaking review of the record.  For example, some patient records may include descriptive information about the patient or events surrounding the encounter that could lead to identification of the patient.  At a recent seminar I presented on HIPAA Privacy, one of the participants used the internet to search for the identity of a person using the fact that the injury was related to a motorcycle accident on a particular day in a town.  In less than 20 seconds, the name of the patient and other identifying information was on the screen of the person in the accident.  It is fairly standard practice to include such information in the exam note to provide context to the visit and document the injury for insurance purposes.

Considering the variety of search tools and potential use of information that you needed to properly document the visit, you have to seriously consider the practicality of the vendors deidentification effort.

Could deidentified information disclose information about your practice? – Even if the Protected Health Information has been completely deidentified, you need to consider whether the resulting information could disclose confidential information about your practice.  With information on the EHR product you use and the ability of the EHR vendor to use deidentified information for any purpose, confidential business information could be derived from deidentified information.  For example,

A Business Associate could sell analyses of service coding and drug use using your deidentified information.  Depending on the size of your practice and location, such information could focus on your practice and reveal a wide array of information about your revenue, service mix, patient base, and internal practices. 

An EHR vendor could provide deidentified information that would reveal device or product use.  For example, an analysis of DME would enable a vendor to determine competitive product use at your practice.

In order to avoid use of deidentified information to reveal confidential information about your patients or practice, you should make sure that

No party has any rights that would allow them to make unilateral use of your patient information for any purpose.

Use of information is limited to structured information that has been properly deidentified.  Free form notes and unstructured information is difficult to properly deidentify and should not be available for use.

Use of any deidentified information in specific or summary form will be comingled with enough data from other sources to prevent anyone from identifying your practice as the source of the deidentified information.  For example, if you are the only EHR user in the zip code, the vendor should not sell zip code specific deidentified information.

In the case of your Protected Health Information, you need to control the use of information by any party that could divulge information about your practice or lead to the identity of a patient. 

For more posts on HIPAA Security and Privacy, click here.

For strategies that you need to avoid HIPAA Privacy and Security lapses, contact Sterling Solutions at (800)967-3028 or click here.

No comments:

Post a Comment