Upload
javon-gilliam
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
DIMACS Working Group on Privacy / DIMACS Working Group on Privacy / Confidentiality of Health DataConfidentiality of Health Data
Rutgers University CenterRutgers University Center
Piscataway, New JerseyPiscataway, New JerseyDecember 10-12, 2003December 10-12, 2003
Health Care Databases under HIPAA: Health Care Databases under HIPAA: Statistical Approaches to De-identification Statistical Approaches to De-identification
of Protected Health Informationof Protected Health Information
Judith E. Beach, Ph.D., Esq.Judith E. Beach, Ph.D., Esq.Associate General Counsel, Regulatory Affairs Associate General Counsel, Regulatory Affairs
Chief Privacy Officer Chief Privacy Officer
Chair, Council on Data Protection and Council on Chair, Council on Data Protection and Council on Research EthicsResearch Ethics
OutlineOutline
1.1.Evolution of De-identification Standards – HIPAA Privacy Regulation 2.2.De-identification Standards for Health Information in Research
a. Safe Harbor b. Statistician Method
))HIPAA Provisions ))Quintiles Experience and Methodology
c. Limited Data Set 3.3.Preemption of State laws on De-identification Standards for Health
Information 4.4.Health Information Privacy - Cases and Controversies
Evolution of De-Identification Standards in Evolution of De-Identification Standards in HIPAA Privacy RegulationHIPAA Privacy Regulation
Federal Policy: De-Identification of Federal Policy: De-Identification of Health InformationHealth Information
Government’s intent - to provide a balance of Government’s intent - to provide a balance of stringent standards flexible enough not to be a stringent standards flexible enough not to be a disincentive to use or disclose disincentive to use or disclose de-identifiedde-identified health health information, wherever possible.information, wherever possible.
De-Identified health data is one of the best De-Identified health data is one of the best mechanisms for avoiding wrongful disclosure of mechanisms for avoiding wrongful disclosure of Protected Health Information (PHI).Protected Health Information (PHI).
SeeSee Draft (05/27/03) Draft (05/27/03) DHHS Policy and Procedure Manual “De-Identification Policy d11” DHHS Policy and Procedure Manual “De-Identification Policy d11” (effective date 6/1/03) - applies to DHHS agencies: HIPAA covered health care components (effective date 6/1/03) - applies to DHHS agencies: HIPAA covered health care components and Internal Business Associatesand Internal Business Associates
5
Federal Policy: Use of De-identified Health Federal Policy: Use of De-identified Health Data Rather than PHI for ResearchData Rather than PHI for Research
““We [HHS] expressed the hope that covered We [HHS] expressed the hope that covered entities, their business [associates] and others entities, their business [associates] and others would make greater use of would make greater use of de-identifiedde-identified health health information . . . when it is sufficient for the information . . . when it is sufficient for the [research] purpose and that such practice would [research] purpose and that such practice would reduce the burden and the confidentiality reduce the burden and the confidentiality concerns that result from the use of individually concerns that result from the use of individually identifiable health information for some of these identifiable health information for some of these purposes.” purposes.” [HHS, in final privacy rule, 65 Fed. Reg. at 82543 (Dec. 28, 2000), [HHS, in final privacy rule, 65 Fed. Reg. at 82543 (Dec. 28, 2000), citingciting
proposed privacy rule of Nov. 3, 1999]proposed privacy rule of Nov. 3, 1999]
6
HIPAA’s JurisdictionHIPAA’s Jurisdiction
Individually Identifiable Health Information (IIHI)Individually Identifiable Health Information (IIHI) :: A subset of health information, including demographic information, that A subset of health information, including demographic information, that
identifies the individual or with respect to which there is a reasonable identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individualbasis to believe the information can be used to identify the individual
Protected health information (PHI)Protected health information (PHI):: Means individually identifiable health information (IIHI = Health Means individually identifiable health information (IIHI = Health
Information + Identifier) that is transmitted or maintained electronically, Information + Identifier) that is transmitted or maintained electronically, or transmitted or maintained in any other form or mediumor transmitted or maintained in any other form or medium
An investigator who submits health claims would be a HIPAA covered An investigator who submits health claims would be a HIPAA covered entity (CE)entity (CE) CE + Health Information + Identifier = PHICE + Health Information + Identifier = PHI CE + Identifier - Health Information = NOT PHICE + Identifier - Health Information = NOT PHI Health Information + Identifier - CE = NOT PHIHealth Information + Identifier - CE = NOT PHI
7
De-identification Standards for Health De-identification Standards for Health Information in ResearchInformation in Research
De-identified Health Information De-identified Health Information
DefinitionDefinition: health information that does : health information that does notnot identify identify an individual and with respect to which there is an individual and with respect to which there is no no reasonable basisreasonable basis to believe that the information can to believe that the information can be used to identify an individual. be used to identify an individual. [45 CFR § 164.514(a)][45 CFR § 164.514(a)]
The Privacy Rule permits de-identification of PHI so The Privacy Rule permits de-identification of PHI so that such information may be used and disclosed that such information may be used and disclosed freely, without being subject to the Privacy Rule’s freely, without being subject to the Privacy Rule’s requirements.requirements.
Once de-identified, the data is out of the Privacy Rule.Once de-identified, the data is out of the Privacy Rule.
9
HIPAA De-identification StandardsHIPAA De-identification Standards Two methods for the de-identification of health information:Two methods for the de-identification of health information:
““Safe HarborSafe Harbor” ” -- remove 18 specified identifiers - intended to provide a -- remove 18 specified identifiers - intended to provide a simple, definitive method for de-identifying health information with simple, definitive method for de-identifying health information with protection from litigationprotection from litigation
““Statistician MethodStatistician Method”” -- retain some of the 18 safe harbor’s specified -- retain some of the 18 safe harbor’s specified identifiers and demonstrate the standard is met if person with identifiers and demonstrate the standard is met if person with appropriate knowledge of and experience with generally accepted appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods, e.g., a Biostatistician, statistical and scientific principles and methods, e.g., a Biostatistician, makes and documents that the risk of re-identification is very small.makes and documents that the risk of re-identification is very small.
[45 CFR § 160.514][45 CFR § 160.514]
10
Limited Data SetLimited Data Set
Final rule: added another method requiring Final rule: added another method requiring removal of facial identifiers -- removal of facial identifiers -- “Limited Data “Limited Data Set”Set” Under confidentiality agreements - for research, Under confidentiality agreements - for research,
public health, and health care operationspublic health, and health care operationsRegarded as PHI - Regarded as PHI - NOTNOT de-identified de-identified
therefore, still subject to Privacy Rule requirements therefore, still subject to Privacy Rule requirements such as minimum necessary rule.such as minimum necessary rule.
11
Safe Harbor MethodSafe Harbor Method
Safe HarborSafe Harbor Covered entities must remove Covered entities must remove allall of a list of 18 of a list of 18
enumerated identifiers and have no enumerated identifiers and have no actual actual knowledgeknowledge that the information remaining could be that the information remaining could be used alone or in combination to identify a subject of used alone or in combination to identify a subject of the information.the information.
The identifiers to be removed includeThe identifiers to be removed include direct identifiers such as name, address, SSNdirect identifiers such as name, address, SSN indirect identifiers such as birth date, admission and indirect identifiers such as birth date, admission and
discharge dates, and five-digit zip codedischarge dates, and five-digit zip code [45 CFR § 160.514(b)(2)][45 CFR § 160.514(b)(2)]
13
Safe HarborSafe Harbor
The safe harbor The safe harbor doesdoes allow for the disclosure of allow for the disclosure ofAll geographic subdivisions no smaller than a All geographic subdivisions no smaller than a
State, as well as the initial three digits of a zip State, as well as the initial three digits of a zip codecode
IF the geographic unit formed by combining all zip IF the geographic unit formed by combining all zip codes with the same initial three digits contains codes with the same initial three digits contains more than 20,000 people more than 20,000 people
AGE, if less than 90, gender, ethnicity and other AGE, if less than 90, gender, ethnicity and other demographic information not listed.demographic information not listed.
14
Safe Harbor’s 18 Identifiers Names All geographic subdivisions smaller than a State,
including street address, city, county, precinct, zip code, and their equivalent geocodes
Except for the initial three digits of a zip code if according to the currently available data from the Bureau of the Census:
The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000;
All elements of dates (except year) or dates directly relating to an individual, including:
birth date, admission date, discharge date, date of death;
and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license
plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Full face photographic images and any comparable
images; and Any other unique identifying number, characteristic, or
code.
15
Sources of AuthoritySources of Authority
In Privacy Rule Preamble, HHS recognizes two sources of authority as to what constitutes such principles and methods for de-identification adequate for posting a de-identified database on the Internet [65 Fed. Reg. at 82,709-82,710 (Dec. 28, 2000)]
“Paper 22”: Statistical Policy Working Paper 22—Report on Statistical Disclosure Limitation Methodology
“The Checklist”: The Checklist on Disclosure Potential of Proposed Data Releases -“intended primarily for use in the development of public-use data products.”
16
16
Safe HarborSafe Harbor BUTBUT many researchers and other groups have complained many researchers and other groups have complained
that the Safe Harbor renders the de-identified data as that the Safe Harbor renders the de-identified data as virtually useless for research so that the result will be virtually useless for research so that the result will be MORE research using PHI.MORE research using PHI. No dates of service, no patient initials, no date of birthNo dates of service, no patient initials, no date of birth Can have “deltas” such as number of patient visits over time Can have “deltas” such as number of patient visits over time
However, the safe harbor was However, the safe harbor was NOTNOT designed for research, designed for research, but to provide an approved method of de-identification for but to provide an approved method of de-identification for any purpose by any covered entity, regardless of any purpose by any covered entity, regardless of sophistication. sophistication. For instance, such de-identified data would be For instance, such de-identified data would be
deemed to be safely posted on the Internet.deemed to be safely posted on the Internet.
17
Statistician MethodStatistician Method
Statistician MethodStatistician Method
For this method, the covered entityFor this method, the covered entity must remove all direct identifiersmust remove all direct identifiers reduce the number of variables on which a reduce the number of variables on which a
match might be madematch might be made should limit the distribution of records through should limit the distribution of records through
a “data use agreement” or “restricted access a “data use agreement” or “restricted access agreement”agreement”
[65 Fed. Reg. at 82,709-710 (Dec. 28, 2000)]
19
Opinion of StatisticianOpinion of Statistician
Statistician must Statistician must determine that there is a “very small risk” of re-determine that there is a “very small risk” of re-
identificationidentification after applying “generally accepted statistical and after applying “generally accepted statistical and
scientific principles and methods for rendering scientific principles and methods for rendering information not individually identifiable”information not individually identifiable”
documents the methods and results of the analysis documents the methods and results of the analysis that justify such determination.that justify such determination.
[45 CFR 160.514(b)(1)]
20
Statistician MethodStatistician Method
This method has been generally ignored by This method has been generally ignored by covered entitiescovered entities..Who prefer a safe harbor approach with “safe” Who prefer a safe harbor approach with “safe”
being the operative word.being the operative word.Consider the Statistician alternative as too Consider the Statistician alternative as too
complicated.complicated.
21
Statistician Method: Quintiles ExperienceStatistician Method: Quintiles Experience
An expert statistician calculated the statistical An expert statistician calculated the statistical likelihood of re-identification likelihood of re-identification IFIF all 18 safe harbor all 18 safe harbor identifiers were removed, that is, the “de-identifiers were removed, that is, the “de-identification probability.”identification probability.”
Then, the statistician calculated the likelihood of Then, the statistician calculated the likelihood of re-identification if certain dates of service of re-identification if certain dates of service of medical or pharmacy claims were retainedmedical or pharmacy claims were retained
And rather than age or year of birth, which is And rather than age or year of birth, which is allowed in the safe harbor, the month allowed in the safe harbor, the month andand year of year of birth was included.birth was included.
22
Statistician’s OpinionStatistician’s Opinion
This calculated number, the “de-identification This calculated number, the “de-identification probability” served as a probability” served as a benchmarkbenchmark of a “very of a “very small risk of re-identification” against which the small risk of re-identification” against which the statistician method would be compared.statistician method would be compared.
23
Analysis: Comparison of Both MethodsAnalysis: Comparison of Both Methods
To ensure the statistical likelihood of re-identification was To ensure the statistical likelihood of re-identification was comparable to that of the calculated safe harbor comparable to that of the calculated safe harbor benchmark, the following data fields were made benchmark, the following data fields were made stricterstricter than as permitted by the safe harbor:than as permitted by the safe harbor: For all patients older than 85 years of age (rather than For all patients older than 85 years of age (rather than
90), the year of their birth modified to make them all 85 90), the year of their birth modified to make them all 85 years old.years old.
All five-digit patient zip codes truncated to first 3 digits All five-digit patient zip codes truncated to first 3 digits and further merged so that no resulting 3 digit code has and further merged so that no resulting 3 digit code has a total population of less than a total population of less than 200,000200,000..
24
Factors Considered by StatisticianFactors Considered by Statistician
In the analysis, the statistician pointed out the obvious:In the analysis, the statistician pointed out the obvious: The de-identified data received is conveyed under a The de-identified data received is conveyed under a
confidentiality agreement, which specifically prohibits re-confidentiality agreement, which specifically prohibits re-identification or further disclosure of the data except in identification or further disclosure of the data except in statistically aggregated form. statistically aggregated form.
The database is maintained on a physically and technically The database is maintained on a physically and technically secure, password-protected server.secure, password-protected server.
25
25
Statistician’s OpinionStatistician’s Opinion ““Applying generally accepted statistical and Applying generally accepted statistical and
scientific principles and methods for rendering scientific principles and methods for rendering information not individually identifiable, . . . I information not individually identifiable, . . . I conclude that the risk is very small that the conclude that the risk is very small that the information . . . could be used, alone or in information . . . could be used, alone or in combination with other reasonably available combination with other reasonably available information, by an anticipated recipient to information, by an anticipated recipient to identify an individual who is a subject of the identify an individual who is a subject of the information. . . . In practice the actual information. . . . In practice the actual reidentification probabilities are much, much reidentification probabilities are much, much lower . . . arguably lower . . . arguably de minimis.”de minimis.”
26
26
Statistician MethodStatistician Method
It is clear that most persons who have reviewed the It is clear that most persons who have reviewed the Privacy Rule have failed to appreciate the Privacy Rule have failed to appreciate the significance of the statistician opinion to de-significance of the statistician opinion to de-identification, and, instead, have focused almost identification, and, instead, have focused almost exclusively on the "safe harbor." exclusively on the "safe harbor."
In particular, many have failed to understand the In particular, many have failed to understand the importance of the "restricted access" as it relates to importance of the "restricted access" as it relates to the statistician opinion approach to de-identification.the statistician opinion approach to de-identification.
27
Ensuring HIPAA Compliance
DataDataWarehouseWarehouse
DataDataWarehouseWarehouse
Data Encryption ProcessData Encryption Process
Patient identifiable electronic healthcare claims (standard health claims data fields)
De-identified data
All data handled is de-identified using a unique patient identifier that is irreversibly encrypted.
Zip* DOB** SexEncrypted Patient Information
* zip = 3 digit** DOB = modified Upon completion of the de-identification
process a unique patient identifier is created, which is irreversibly encrypted.
28
Core Data Elements
Pharmacy Data Medical Data
Jan ‘98 - to date July ‘98 - to date
RX Pharmacy Data(NCPDP)
RX Pharmacy Data(NCPDP)
Anonymous Patient ID
Patient Age & Gender
Date Written
Date Filled
NDC Code
Quantity Dispensed
Days Supply
Refill Flag
Prescribing Physician
Pharmacy
Payor Type^
Anonymous Patient ID
Patient Age & Gender
Date Written
Date Filled
NDC Code
Quantity Dispensed
Days Supply
Refill Flag
Prescribing Physician
Pharmacy
Payor Type^
MX Provider Data (HCFA 1500)
MX Provider Data (HCFA 1500)
Anonymous Patient ID
Patient Age & Gender
Diagnosis Codes (ICD9)
Procedure Codes (CPT)
Service Dates
Physician/Provider ID
Location of Care
Payor Type
Anonymous Patient ID
Patient Age & Gender
Diagnosis Codes (ICD9)
Procedure Codes (CPT)
Service Dates
Physician/Provider ID
Location of Care
Payor Type
HX Facility Data (UB-92)
HX Facility Data (UB-92)
Anonymous Patient ID
Patient Age & Gender
Diagnosis Codes (ICD9)
Procedure Codes (CPT)
DRG
Admit Date
Discharge Date
Physician/Provider ID
Location of Care
Payor Type
Anonymous Patient ID
Patient Age & Gender
Diagnosis Codes (ICD9)
Procedure Codes (CPT)
DRG
Admit Date
Discharge Date
Physician/Provider ID
Location of Care
Payor Type
^Note: Payor Type not available on all records
29
Physician DemographicsPhysician Demographics
SpecialtySpecialty RegionRegion Number of years in practiceNumber of years in practice Prescribing volumePrescribing volume Type of practiceType of practice Number of HMO / PPO / IPA affiliationsNumber of HMO / PPO / IPA affiliations % patient volume by insurance type% patient volume by insurance type Physician racePhysician race Physician agePhysician age
30
Patient CharacteristicsPatient Characteristics
Location of contact Location of contact Height and weight Height and weight AgeAge GenderGender RaceRace Blood pressureBlood pressure Cholesterol levels (total, HDL, LDL, triglycerides)Cholesterol levels (total, HDL, LDL, triglycerides) Insurance typeInsurance type Physician reimbursement method (fee-for-service Physician reimbursement method (fee-for-service
vs. capitation)vs. capitation) Smoker or non-smokerSmoker or non-smoker
31
Disease EntitiesDisease Entities
Visits (with and without drugs)Visits (with and without drugs) Visits per physician per yearVisits per physician per year Total patients seeking treatmentTotal patients seeking treatment Newly diagnosed patientsNewly diagnosed patients Visit type (first vs. subsequent)Visit type (first vs. subsequent) Referrals and referring specialtyReferrals and referring specialty Severity of conditionSeverity of condition Tests ordered or completed during visitTests ordered or completed during visit Existing medical conditions not treatedExisting medical conditions not treated Number of times seen and days since last visitNumber of times seen and days since last visit Number of patient drug requests for conditionNumber of patient drug requests for condition
32
Treatment RegimensTreatment Regimens
Dosage form, strength and signaDosage form, strength and signa Formulary impactFormulary impact Quantity prescribed and number of refills (mean Quantity prescribed and number of refills (mean
and frequency)and frequency) Weighted diagnosis valueWeighted diagnosis value Dispensing instructionsDispensing instructions Occurrences per physician per yearOccurrences per physician per year Therapy type: Therapy type:
NewNew First-line versus adjunct therapyFirst-line versus adjunct therapy Drug replacement and reasonDrug replacement and reason
ContinuedContinued
33
Treatment RegimensTreatment Regimens
Desired actionDesired action Concomitant drugs (to treat same diagnosis)Concomitant drugs (to treat same diagnosis) Concurrent drugs (regardless of diagnosis)Concurrent drugs (regardless of diagnosis) Drug issuanceDrug issuance Sample days of therapy (mean and frequency)Sample days of therapy (mean and frequency) Prescribed days of therapy (mean and frequency)Prescribed days of therapy (mean and frequency) Daily average consumption (DACON)Daily average consumption (DACON) Non-drug therapyNon-drug therapy
34
Limited Data Set (LDS)Limited Data Set (LDS)
HHS’ Solution: Limited Data SetHHS’ Solution: Limited Data Set For research, public health, or health care For research, public health, or health care
operations purposesoperations purposes Authorization not required Authorization not required A limited data use agreement must be in place A limited data use agreement must be in place
between the covered entity and the recipient of between the covered entity and the recipient of limited data set (LDS) limited data set (LDS) [45 CFR §164.514(e)] [45 CFR §164.514(e)]
““Data Use Agreements would only be needed for those public Data Use Agreements would only be needed for those public health, research, or health care operation uses and health, research, or health care operation uses and disclosures that are not otherwise permitted by federal or disclosures that are not otherwise permitted by federal or state laws.” state laws.” [[SeeSee Draft (05/27/03) Draft (05/27/03) DHHS Policy and Procedure Manual “De-DHHS Policy and Procedure Manual “De-Identification Policy d11”]Identification Policy d11”]
36
LDS = Still PHILDS = Still PHI
Regarded as PHI, that is, not de-identified Regarded as PHI, that is, not de-identified data and, therefore subject to requirements data and, therefore subject to requirements for protection of PHI such asfor protection of PHI such asProhibits re-identification or any attempt to Prohibits re-identification or any attempt to
contact individuals by recipientcontact individuals by recipientBUT re-identification code permitted for BUT re-identification code permitted for
covered entity covered entity Subject to minimum necessary standardsSubject to minimum necessary standardsBUT no accounting of disclosures or IRB BUT no accounting of disclosures or IRB
approvalapproval
37
Limited Data Set SpecificationsLimited Data Set Specifications
May be useful for records-based research such May be useful for records-based research such as epidemiological and other population as epidemiological and other population research research
But may But may NOTNOT be useful for patient recruitment be useful for patient recruitment Because re-identification of individuals or attempt to contact Because re-identification of individuals or attempt to contact
individuals is prohibited by a third party even if by Researcher individuals is prohibited by a third party even if by Researcher (without IRB or internal privacy board approval) unless the (without IRB or internal privacy board approval) unless the contact is made by the Covered Entity or the Covered Entity’s contact is made by the Covered Entity or the Covered Entity’s Workforce.Workforce.
38
LDS: Remove 16 IdentifiersLDS: Remove 16 Identifiers
NameName Postal address information Postal address information
(other than city, state, zip (other than city, state, zip code)code)
Telephone numberTelephone number Fax numberFax number E-mail addressE-mail address Social Security NumberSocial Security Number Medical record / prescription Medical record / prescription
numbersnumbers Health plan beneficiary Health plan beneficiary
numbersnumbers
Account numbersAccount numbers Certificate / license numbersCertificate / license numbers Vehicle identity / serial Vehicle identity / serial
numbersnumbers Device numbersDevice numbers Web URLWeb URL IP addressIP address Biometric identifiers (e.g., Biometric identifiers (e.g.,
fingerprints, retinal scans)fingerprints, retinal scans) Full face similar Full face similar
photographic imagesphotographic images
39
[45 CFR §164.514(e)(2)]
LDS: Retain Indirect Identifiers LDS: Retain Indirect Identifiers
Five-digit zip codeFive-digit zip codeDates of service (e.g., admission / discharge)Dates of service (e.g., admission / discharge)Dates of birth and deathDates of birth and deathGeographic subdivision (e.g., state, county, Geographic subdivision (e.g., state, county,
city, precinct), but not street addresscity, precinct), but not street address
40
Statistical Method for Statistical Method for DummiesDummies
““Limited Data Set” . . .Limited Data Set” . . .
the Statistician Method made the Statistician Method made easyeasy..
41
Preemption of State Laws on De-Preemption of State Laws on De-identification Standards for Health identification Standards for Health
InformationInformation
Preemption of De-identification Preemption of De-identification Standards - A ViewStandards - A View
HIPAA Statute and privacy regulationHIPAA Statute and privacy regulation Preemption of state law only ifPreemption of state law only if
The provision of state law relates to the privacy of The provision of state law relates to the privacy of individually identifiableindividually identifiable health informationhealth information
HIPAA Statute § 1178 AND 45 CFR §§ 160.202 - .204HIPAA Statute § 1178 AND 45 CFR §§ 160.202 - .204
43
Preemption of State Law: HIPAA StatutePreemption of State Law: HIPAA Statute
Health information considered identifiable and, Health information considered identifiable and, therefore, subject to all requirements of rule therefore, subject to all requirements of rule ONLYONLY if “reasonable basis to believe that the if “reasonable basis to believe that the information can be used to identify the individual.” information can be used to identify the individual.”
Exception to preemption - when states can assert Exception to preemption - when states can assert contrary and more stringent definition of contrary and more stringent definition of ““individually identifiableindividually identifiable health information” health information” But exception analysis does not apply to de-identified But exception analysis does not apply to de-identified
data data
44
Preemption: Deidentification StandardsPreemption: Deidentification Standards
Thus, states would be preempted from Thus, states would be preempted from enforcing a standard for deidentification that enforcing a standard for deidentification that exceeds the “reasonable basis” definition of exceeds the “reasonable basis” definition of individually identifiableindividually identifiable health information as health information as established in HIPAA statute. established in HIPAA statute.
Note: in response to Quintiles’ written request, Note: in response to Quintiles’ written request, HHS responded by revising preemption section HHS responded by revising preemption section of the Rule to refer to of the Rule to refer to “individually “individually identifiable”identifiable” health information rather than health information rather than merely merely health information.health information.
45
Privacy Cases & Controversies:Privacy Cases & Controversies:De-identified Health DatabasesDe-identified Health Databases
U.S. ControversyU.S. Controversy
Quintiles Transnational Corp. v. WebMDQuintiles Transnational Corp. v. WebMD No demonstrable violation of HIPAA or other privacy No demonstrable violation of HIPAA or other privacy
law by transmission and aggregation of deidentified law by transmission and aggregation of deidentified health datahealth data
Inhibits additional state regulation of national electronic Inhibits additional state regulation of national electronic data systemdata system
Order of Judge Terrence Boyle.Order of Judge Terrence Boyle. Re de-identified data: “the Dormant Commerce Clause Re de-identified data: “the Dormant Commerce Clause
prevents the individual states from regulating the prevents the individual states from regulating the interstate transmission of data.”interstate transmission of data.”
[No. 5:01-CV-180-BO(3), U.S. EDNC Western Division][No. 5:01-CV-180-BO(3), U.S. EDNC Western Division]
47
UK ControversyUK Controversy Regina v. Department of Health, Ex Parte Source Regina v. Department of Health, Ex Parte Source
Informatics Ltd. Informatics Ltd. [Judge Latham, 4 All ER 185, May 29, 1999; Case No. CO\4490\97, Queen’s Bench Division]
Judge Latham dismissed applicants' application for a Declaration that a policy document issued in March 1996 by the Department of Health “The Protection [and] Use of “The Protection [and] Use of Health Information.”Health Information.”
48
UK: Source Informatics: Overturned on AppealUK: Source Informatics: Overturned on Appeal
Court of Appeals: Simon Brown, Aldous and Court of Appeals: Simon Brown, Aldous and Schiemann LJJ: 21 December 1999Schiemann LJJ: 21 December 1999
Where a patient's identity was protected, it would not be Where a patient's identity was protected, it would not be a breach of confidence for general practitioners and a breach of confidence for general practitioners and pharmacists to disclose to a third party, without the pharmacists to disclose to a third party, without the patient's consent, the information contained in the patient's consent, the information contained in the patient's prescription form for marketing research patient's prescription form for marketing research purposes. purposes.
49
UK Health and Social Care Bill: Clause 65UK Health and Social Care Bill: Clause 65
Department of Health included language in the Department of Health included language in the Health and Social Care Bill that would have Health and Social Care Bill that would have essentially reinstated the lower court’s opinion essentially reinstated the lower court’s opinion (Judge Latham’s)(Judge Latham’s)
After heavy lobbying in the House of Lords After heavy lobbying in the House of Lords against Clause 65, the language was defeated.against Clause 65, the language was defeated.
50
The key is . . .The key is . . .
Safeguarding protected health information by Safeguarding protected health information by encouraging use of federal standards for de-encouraging use of federal standards for de-
identification of health data for clinical research.identification of health data for clinical research.
ConclusionConclusion