Why Should You Care about Deidentified Information?
Ron Sterling
Sterling Solutions
Author: Keys to EMR/EHR Success
According to the HIPAA Security and Privacy standard, your practice is responsible for maintaining the confidentiality of Protected Health Information. Unfortunately, a number of vendors and other parties want access to your information and are placing the confidentiality of your business information and even your patient information at risk.
Many contracts and Business Associates Agreements include standard language that protects you patient’s Protected Health Information from disclosure. Indeed, there are a wide range of statutory penalties. However, deidentified information can be used for other purposes that may not be helpful to your practice or your patients.
Most EHR contracts and a wide range of other service contracts include language that gives the Business Associate wide latitude to use your practice’s deidentified information. For example, many EHR vendor contracts allow use of deidentified information for purposes and at times of the vendor’s choosing.
Your practice should have a number of problems with such conditions.
Will the vendor properly deidentify protected health information?
In reality, it is very difficult to properly deidentify protected health information. In addition to the obvious identifiers such as name, address, SSN, and date of birth, an email address and biometric information also needs to be eliminated. However, other information that could lead to identifying the patient must also be removed from the record.
Removal of such information could require a painstaking review of the record. For example, some patient records may include descriptive information about the patient or events surrounding the encounter that could lead to identification of the patient. At a recent seminar on I presented on HIPAA Privacy, one of the participants used the internet to search for the identity of a person using the fact that the injury was related to a motorcycle accident on a particular day in a town. In less than 20 seconds, the name of the patient and other identifying information was on the screen of the person in the accident. It is fairly standard practice to include such information in the exam note to provide context to the visit and document the injury for insurance purposes.
Considering the variety of search tools and potential use of information that you needed to properly document the visit, you have to seriously consider the practicality of the vendors deidentification effort.