Notice of Privacy Practices
We have reviewed the HIPAA law and related final regulations to ensure full and timely compliance of systems and procedures with applicable HIPAA requirements.
We have reviewed the Standards for Privacy of Individually Identifiable Health Information promulgated by the Department of Health and Human Services (HHS) pursuant to HIPAA and HITECH. Please note that the services THEM facilitates are excluded from compliance with these regulations as such services are consistent with the use of de-identified patient data.
De-Identified Patient Data
De-identified patient data is health information from a medical record that has been stripped of all “direct identifiers”—that is, all information that can be used to identify the patient from whose medical record the health information was derived. According to the Health Insurance Portability and Accountability Act (HIPAA), there are 18 direct identifiers that are typically present in patient medical records.
- Geographic subdivisions smaller than a state (e.g. street address, city and ZIP code)
- All dates that are related to an individual (e.g., date of birth, admission)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web universal locators (URLs)
- IP address numbers
- Biometric identifiers such as fingerprints and voice prints
- Full-face photographic images
- Other unique identifying numbers, characteristics or codes
According to HIPAA, there are 3 acceptable ways to de-identify patient data. The first is the “safe harbor” option, in which all 18 identifiers are removed. Currently, THEM operates within this safe harbor option. The second is the “statistical” option, in which a retained statistician determines which of the 18 identifiers can be maintained without creating greater than a “very small” risk that the data could be re-identified. The third is the “limited data set” technique, in which the organization removes 16 identifiers and protects what remains with special security precautions.
Why is De-identified Patient Data So Important?
De-identified patient data can be used to improve care, estimate the costs of care, and support public health initiatives. Scientists have been engaged in this process for years while achieving worthy results. Notable examples include:
• Harvard University researchers used de-identified patient data from electronic health records at Partner’s Healthcare System in Boston to discover previously unknown adverse events associated with diabetes drugs, and to identify cohorts of individuals that were at risk for morbid events ranging from heart attacks to domestic abuse.
• Epidemiologists in Utah used de-identified patient data from VistA, the electronic health record used by the Veteran’s Administration, to help define optimal care strategies for post-traumatic stress disorder, methicillin-resistant Staph aureus and congestive heart failure.
• Nephrologists in Hawaii used de-identified patient data from HealthConnect, the electronic health record by Kaiser Permanente, to improve care-coordination between primary care physicians and specialists for those afflicted with kidney disease.
• Prior to being acquired by IMS Health, analysts at SDI Health used de-identified data to track prescribing patterns for scarce anti-viral drugs during recent flu outbreaks.
THEM and De-Identified Patient Data
Because THEM is seeking to help other entities improve the quality of health care and make positive life-changing impacts similar to those noted above, de-identified patient data is an extremely valuable source of information. After taking proper safeguards and in a manner consistent with vendor and commercial interests mentioned above, we intend to be a conduit to allow de-identified patient data to be used for a variety of purposes.
Is De-Identified Data the same thing as Protected Health Information?
No. De-identified data is a completely different category than Protected Health Information (PHI).1 PHI is personally identifiable health information. This information is extremely sensitive, private, and confidential, and it is covered by the HIPAA Privacy Rule. THEM is not allowed to share this information and will never do so because we enforce any vendor, supplier, or covered entity with patient data to extricate the 18 factors noted above. This not only ensures compliance with HIPAA by THEM but also helps any covered entity under HIPAA remain protected as well.
We are continuously enhancing our security framework. This allows us a unified security framework that provides the direction to ensure the availability, integrity and accuracy of company assets and vendor/customer data. The framework also provides the foundation that enables secure access to company assets by employees, customers and business partners anytime from anywhere. Components include, but are not limited to:
- Security policies, procedures and guidelines
- Security awareness and training
- Risk assessment and management
- Data classification
- Security monitoring and reporting
- Incident response/management
- Security consulting
- Security auditing
- Implementation/utilization of the security tools of the trade
We have undertaken an extensive review and inventory of products and data transfers to verify those outside the scope of the HIPAA Rules. We have developed policies and procedures so that THEM is capable of conducting safe transactions of information that protects both the patients and the covered entity as defined under HIPAA.
1 As identified by the U.S. Department of Health and Human Services National Institutes of Health. Further information available at https://privacyruleandresearch.nih.gov/pr_08.asp