Protected Health Information (PHI) is Personal
Protected health information (PHI) is some of the most personal information that exists about you and I. It includes things like our date of birth, height, weight, address, contact numbers, family member names, medication history and more. Generally an individual receiving health care knows that their PHI will be used for their treatment, for payment and for certain health care operations. Do they also know that their PHI can be sanitized (de-identified) and used for research?
PHI Can Be De-Identified, and therefore, less personal.
At long last, the HHS Office of Civil Rights (OCR) has issued guidance regarding how health insurers, clearinghouses and medical providers should strip patient records of identifying information, in order to permit data to be exempt from privacy restrictions and used in clinical and research studies.
The HHS guidance presents two methods by which health care companies can satisfy a so-called de-identification standard contained within the privacy rule of the Health Insurance Portability and Accountability Act, affectionately known as HIPAA. These two methods are expert determination and safe harbor. OCR’s guidance is designed to assist covered entities to understand de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.
The HIPAA Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following certain de-identification methods. The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.
Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.
If a covered entity decides to de-identify information via the expert route, the guidance states that the following criteria are met:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination;
Interestingly, OCR takes pains to state that there is no particular credential necessary for this expert. If the matter becomes one of OCR enforcement, OCR would look at a particular expert’s qualifications on a case-by-case basis. The expert does not necessarily need to be a statistician.
If a covered entity decides to de-identify by entering the “safe harbor” there is a rather exhaustive list of what information must be removed. This includes names, street addresses, complete ZIP codes, telephone numbers and social security numbers. OCR points out that only 3 data points-date of birth, gender and zip code uniquely identify over ½ of US Citizens.
PHI is Irresistable to Researchers and Others Because it is a Rich Resource
My personal take on this dates back several years when I recognized that HITECH was invariably tied to the Affordable Care Act in the following ways:
- HITECH has incentivized health care providers through both a carrot and stick approach to adopt electronic health records.
- HITECH established funding for networking health care providers to share this data.
- HITECH, through the mechanism of meaningful use has developed a methodology for collecting health data on all patients. This includes things like smoking status and body mass index.
- The Affordable Care Act ties patient outcome and cost of care to reimbursement.
- To control health care costs and maximize better health care outcomes, it makes sense to draw from all available data to see what treatments work best for high-cost chronic conditions that strain the health care system such as heart disease, asthma and diabetes. The data has to come from somewhere.
- Privacy advocates and others are concerned that our health information will be grist for the research mill whether we want it to be or not.
- Many individuals are concerned about privacy breaches involving their most sensitive personal information.
- On the other hand, researchers, policy-makers and others are salivating over the rich data that now exists to answer many compelling questions and bring us further down the road to curing cancer and other devastating illness.
Varying interests must be balanced moving forward, but one wonders if a patient will be able to fully comprehend that their health information may be scrubbed and used for research. Perhaps we all have a moral obligation to contribute to the body of scientific research aimed at helping us all live healthier lives. But at what point could such research be used to deny care on the basis that it has been proven that in most cases a particular treatment succeeds very seldom yet is very expensive.
We enter into a brave new world. May patients, providers and the public remain engaged on the topic of PHI. Please leave a comment if you’d like to join the discussion!