By Lisa A. Eramo
Patients want to protect their health data. Can you blame them? Health data breaches occur all the time due to laptop theft, unauthorized access, or loss of devices that store personal health information. As organizations have expanded their use of health information technology, these breaches have continued to increase. Health information management professionals play an important role in the protection of patient data in an era where they are increasingly asked to package electronic data for use in public health reporting.
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the Secretary of Health and Human Services to post on its Website a list of all breaches of unsecured protected health information that affect 500 or more individuals. This list, which has grown steadily over the past few years, now includes nearly 1,000 breaches affecting more than 700,000 patients, according to Melamedia, LLC. Some experts have appropriately dubbed this list HHS’ “wall of shame.”
Many patients are reluctant to share their health data, particularly when it’s for purposes other than clinical treatment, payment, or operations. According to the Health Insurance Portability and Accountability Act (HIPAA), which is designed to protect patient privacy and security, covered entities and business associates must typically obtain a patient’s consent before releasing protected health information.
Protected health information is defined as “individually identifiable health information transmitted or maintained by a covered entity or its business associates in any form or medium” (45 CFR 160.103). According to the U.S. Department of Health and Human Services, protected health information is data, including demographic information, which relates to:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, social security number) when they can be associated with the health information listed above.
However, there are exceptions to HIPAA’s requirement for patient authorization to release protected health information. HIPAA does allow public health authorities to access protected health information without the patient’s consent when this access occurs for a variety of public health purposes. In fact, healthcare facilities are actually mandated to report certain information at the state and federal levels. Doing so allows public health officials to take action or develop policies and procedures that protect the population at large.
As organizations implement electronic health records (EHRs) that continue to churn out volumes and volumes of health data, public health authorities will want to tap into that data even more. Health information management (HIM) professionals with expertise in health information technology must ensure that public health reporting strikes a necessary balance between benefiting the greater good while also maintaining privacy and security per HIPAA.
HIM professionals can contribute to this highly complex conversation in several ways:
1. Educate patients about how and why their personal health data is used. Be clear and transparent with patients about all of the potential entities to whom data is released and how states and the federal government actually use this information. Even if explicit authorization is not required, patient trust and confidence are critical to the success of data sharing.
“The average individual doesn’t realize that, often, their health data is sent to public health authorities if they have certain conditions or diseases, or even just as a matter of routine reporting for surveillance purposes,” Deven McGraw, director at the Health Privacy Project at the Center for Democracy and Technology told O’Reilly Media, Inc. “Some of this is about keeping a trustworthy environment for individuals so they can seek the care they need. That’s a key goal for privacy. The other aspect of it is making sure we have the data available for important public purposes, but in a way that respects the fact that this data is sensitive.”
2. Focus on data integrity. Even despite an organization’s best efforts to maintain a clean Master Patient Index and record data accurately, mistakes do happen. However, HIM professionals must make every effort to minimize these errors that can result in costly denials, inaccurate data reports, or worse yet, poor clinical outcomes.
3. Understand the challenges inherent in data de-identification. The de-identification of protected health information occurs when identifiers are removed from the health information. This process mitigates privacy risks to individuals and also supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors. HIM professionals must know when de-identification is necessary and the methods for doing so. These methods in which HIM must be well versed include Expert Determination and Safe Harbor.
Daniel C. Barth-Jones, MPH, PhD, assistant professor of clinical epidemiology at Columbia University, says that properly de-identified data is an “invaluable good.” During an HHS workshop on the HIPAA privacy rule’s de-identification standard, he stated the following:
“De-identified health data greatly benefits our society and provides strong privacy protections for the individuals. As the promise of EHRs and health IT yields richer de-identified clinical data, the progress of our nation’s healthcare reform will be built on a foundation of such de-identified health data.”
HIM professionals possess the skills and knowledge necessary to drive public health reporting forward while also serving as a patient advocate to protect privacy and security.