De-identification, defined and explained. Dan Stocker, MBA, MS, QSA Professional Services, Coalfire

Size: px
Start display at page:

Download "De-identification, defined and explained. Dan Stocker, MBA, MS, QSA Professional Services, Coalfire"

Transcription

1 De-identification, defined and explained Dan Stocker, MBA, MS, QSA Professional Services, Coalfire

2 Introduction This perspective paper helps organizations understand why de-identification of protected health information (PHI) is important. Covered entities and their business associates currently face the challenge of realizing value from healthcare data while protecting patient privacy. De-identification can provide a way to satisfy both needs without the need for a Data Use Agreement (DUA). Two Scenarios A healthcare provider is approached by a university interested in data about the cancer treatments offered by the provider. The university is willing to pay for access to data that will allow them to study the effectiveness of offered treatments. The manner in which the provider shares the data is very important. If the provider is insufficiently attentive to the HIPAA Privacy Rule, they may simply remove the names of their patients from the data and consider that sufficient for patient privacy protection. If the data is subject to re-identification by correlating the remaining personal identifying information with other available sources (e.g. census data, voter registration lists, etc.), the identities of patients and their health information could be reconstructed. This would constitute a breach of privacy and potentially subject the provider to a civil penalty. Re-identification risk is not hypothetical: studies have shown that between 63% and 87% of the U.S. population is uniquely identifiable by the combination of their birth date, gender and zip code. On the other hand, if the provider followed one of the two approved methods to de-identify the shared data, the risk of re-identification would be managed. By ensuring that there is no reasonable basis to believe that individuals can be identified in the data, the provider will have met its regulatory responsibilities under HIPAA. HIPAA Privacy Rule The HIPAA Privacy Rule outlines the requirements for PHI that apply to both covered entities and business associates.

3 Protected Health Information (PHI) The Privacy Rule protects most individually identifiable health information, regardless of form, that is in the possession of a covered entity or business associate. The following constitute PHI: Individual demographic data Information about individual healthcare provisions Payment information related to individual healthcare Common individual identifiers, such as: name, address, birth date and Social Security Number (SSN) Examples of PHI would include medical records that associate an individual with their healthcare, such as laboratory records and bills for treatment. This is the key to the definition: healthcare information or individual identifiers alone do not constitute PHI. There must be an association between the two types of information. An important consequence of this is that data which reports averages for demographics (i.e. cannot be used to identify any individual) is not considered PHI and may be shared. If a covered entity wishes to share PHI, it must have a Data Use Agreement with the recipient, or it must de-identify all PHI in the data. Why Share At All? The central tool applied to shared health data is called data mining. A combination of machine learning, statistical analysis and advanced database techniques is applied to large data sets in an attempt to identify patterns and features of the data that are not obvious. These patterns and features are new information derived from the data. Health-related data have value in a number of ways: Researchers can mine large data sets to find significant and useful patterns that suggest new treatments or improvements to existing procedures. The larger the data sets, the better the results. Insurance and other risk management organizations can use data about outcomes to improve resource allocations, and generate better return on investment (ROI).

4 Health data represent significant value for health providers. Finding a way to share the data that enables realization of the economic value while respecting patient privacy is a high priority for the industry. The Privacy Rule outlines two methods for de-identifying PHI. Expert Determination A covered entity may choose to have an expert determine that the data to be shared is not individually identifiable. That expert must be qualified by having appropriate education and experience. Knowledge of statistical, mathematical or scientific methods is a good baseline. The expert should apply statistical and scientific principles and methods and document their work and findings. The considerations are potentially many. The expert must consider the risk of re-identification by combining the data set with other available data sets (including prior versions). One example: some records contain a birth date, while others have an age. If a timestamp of the second record is known, the ages are valuable keys to the birth dates and can connect the otherwise disparate records. The expert must determine an acceptable level of identification risk. Given the pace of advances in data mining and associated technology, any determination should be considered a risk assessment, with an inherent expiration. The primary advantage of hiring an expert is the outsourcing of a highly technical operation. Safe Harbor A covered entity may choose to de-identify data themselves prior to sharing. The HIPAA Privacy Rule offers guidance on how they may accomplish this so the covered entity or business associate can claim the benefits of Safe Harbor. Safe Harbor is very desirable as it carries no fines or penalties in the event of a breach.

5 Types of Data to Remove There is a long list of data types to be removed. They fall roughly into four categories: Personal data: names, pictures, biometrics, vehicle identifiers, contact info, id/account numbers. Dates more specific than the year may not be included if they apply to an individual. Geographic subdivision data smaller than a U.S. state may not be included. Some zip codes may be used with only their first three digits, unless that zip code has less than 20,000 residents. Identifying numbers: serial numbers, URLs, record/certificate/license numbers. No Actual Knowledge After the removal of the data that increases risk of re-identification, the covered entity or business associate must lack actual knowledge of the ability to reidentify the data. This does not mean theoretical ability, but rather refers to the nature of the remaining data. One example that Health and Human Services (HHS) uses to illustrate this is a patient whose occupation is so rare as to uniquely identify them. In practice, this standard will require covered entities and business associates to examine data thoroughly after removing the PHI. Two Important Points Not Zero Risk: No Reasonable Basis As explained above, the state of the art of re-identification is advancing in parallel to deidentification. The HIPAA Privacy Rule does not require zero risk of re-identification, as that would be impractical. The standard is no reasonable basis. If there is a known technique to identify an individual from the data, then there is a reasonable basis to believe it can be done. Interpretation of reasonable will have technical and legal dimensions. Structured vs. Unstructured Data It would be easy to overlook that PHI can appear in unstructured data, such as physician notes, but that would be a mistake. The provisions of the HIPAA Privacy Rule apply to all data, whether structured or unstructured. This can pose technical hurdles for covered entities that do not have granular control over unstructured data. This should also be addressed in Business Associate Agreements.

6 Conclusion Within the context of a Business Associate Agreement, de-identification is not required (for example, sending medical records to a billing vendor). However, in the absence of a Data Use Agreement, covered entities and their business associates who do not de-identify PHI shared with outside parties accept a risk of breach of privacy and civil penalties. De-identification isn t just a good idea it s the rule. Fortunately, there are two paths to satisfy the HIPAA Privacy Rule. Covered entities with the requisite talent in-house may choose to de-identify shared data themselves, keeping mindful of the no actual knowledge standard. Alternately, expertise is available for hire. Either way, it s a good investment.

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance  De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " " D even McGraw " Director, Health Privacy Project January 15, 201311 HIPAA Scope Does not cover all health data Applies

More information

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Session Objectives Examine the value of realistic information in research and software testing Explore the challenges of de-identifying health

More information

HIPAA-Compliant Research Access to PHI

HIPAA-Compliant Research Access to PHI HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for

More information

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units

More information

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 How to De-identify Data Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 1 Outline The problem Brief history The solutions Examples with SAS and R code 2 Background The adoption

More information

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training SCHOOL OF PUBLIC HEALTH HIPAA Privacy Training Public Health and HIPAA This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health. It is imperative

More information

HIPAA PRIVACY RULE & AUTHORIZATION

HIPAA PRIVACY RULE & AUTHORIZATION HIPAA PRIVACY RULE & AUTHORIZATION Definitions Breach. The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy

More information

Administrative Services

Administrative Services Policy Title: Administrative Services De-identification of Client Information and Use of Limited Data Sets Policy Number: DHS-100-007 Version: 2.0 Effective Date: Upon Approval Signature on File in the

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

What is Covered by HIPAA at VCU?

What is Covered by HIPAA at VCU? What is Covered by HIPAA at VCU? The Privacy Rule was designed to protect private health information from incidental disclosures. The regulations specifically apply to health care providers, health plans,

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA Big Data Analytics Under HIPAA Kevin Coy and Neil W. Hoffman, Ph.D. Privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule can have a significant

More information

The De-identification of Personally Identifiable Information

The De-identification of Personally Identifiable Information The De-identification of Personally Identifiable Information Khaled El Emam (PhD) www.privacyanalytics.ca 855.686.4781 info@privacyanalytics.ca 251 Laurier Avenue W, Suite 200 Ottawa, ON Canada K1P 5J6

More information

HIPAA as it Pertains to IRBs and Research. Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc.

HIPAA as it Pertains to IRBs and Research. Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc. HIPAA as it Pertains to IRBs and Research Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc. HIPAA Acronym for the Health Insurance Portability and Accountability Act of 1996

More information

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule AA Privacy RuleP DEPARTMENT OF HE ALTH & HUMAN SERVICES USA Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule NIH Publication Number 03-5388 The HI Protecting Personal

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy

More information

New Guidance on De-Identification of Protected Health Information Released by Office of Civil Rights

New Guidance on De-Identification of Protected Health Information Released by Office of Civil Rights Health Care ADVISORY December 7, 2012 New Guidance on De-Identification of Protected Health Information Released by Office of Civil Rights On November 26, 2012, the United States Department of Health and

More information

De-identification Koans. ICTR Data Managers Darren Lacey January 15, 2013

De-identification Koans. ICTR Data Managers Darren Lacey January 15, 2013 De-identification Koans ICTR Data Managers Darren Lacey January 15, 2013 Disclaimer There are several efforts addressing this issue in whole or part Over the next year or so, I believe that the conversation

More information

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI

More information

De-Identification of Clinical Data

De-Identification of Clinical Data De-Identification of Clinical Data Sepideh Khosravifar, CISSP Info Security Analyst IV TEPR Conference 2008 Ft. Lauderdale, Florida May 17-21, 2008 1 1 Slide 1 cmw1 Craig M. Winter, 4/25/2008 Background

More information

HIPAA OVERVIEW ETSU 1

HIPAA OVERVIEW ETSU 1 HIPAA OVERVIEW ETSU 1 What is HIPAA? Health Insurance Portability and Accountability Act. 2 PURPOSE - TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health

More information

THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE

THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE As demand for data sharing grows, healthcare organizations must move beyond data agreements and masking to achieve

More information

HIPAA Basics for Clinical Research

HIPAA Basics for Clinical Research HIPAA Basics for Clinical Research Audio options: Built-in audio on your computer OR Separate audio dial-in: 415-930-5229 Toll-free: 1-877-309-2074 Access Code: 960-353-248 Audio PIN: Shown after joining

More information

HIPAA 101: Privacy and Security Basics

HIPAA 101: Privacy and Security Basics HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually

More information

De-Identification of Clinical Data

De-Identification of Clinical Data De-Identification of Clinical Data Sepideh Khosravifar, CISSP Info Security Analyst IV Tyrone Grandison, PhD Manager, Privacy Research, IBM TEPR Conference 2008 Ft. Lauderdale, Florida May 17-21, 2008

More information

IRB Month Investigator Meeting April 2014

IRB Month Investigator Meeting April 2014 April 2014 AUDITS TRENDS EMR COMPLIANCE PRACTICES EMR FEDERAL REGULATIONS MONITORING REGULATORY SECURITY THREATS ACADEMI CINA BREACHES REVIEW COMPUTING MOBILE CLOUD HIPAA CENTER OPERATION S RESEARCH C

More information

Children's Hospital, Boston (Draft Edition)

Children's Hospital, Boston (Draft Edition) Children's Hospital, Boston (Draft Edition) The Researcher's Guide to HIPAA Evervthing You Alwavs Wanted to Know About HIPAA But Were Afraid to Ask 1. What is HIPAA? 2. What is the Privacy Rule? 3. What

More information

De-Identification 101

De-Identification 101 De-Identification 101 We live in a world today where our personal information is continuously being captured in a multitude of electronic databases. Details about our health, financial status and buying

More information

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health Pam Jager, GRMEP Director of Education & Development To understand the requirements of the federal Health Information Portability

More information

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Institutional Review Board (IRB) IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Overview The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations,

More information

Degrees of De-identification of Clinical Research Data

Degrees of De-identification of Clinical Research Data Vol. 7, No. 11, November 2011 Can You Handle the Truth? Degrees of De-identification of Clinical Research Data By Jeanne M. Mattern Two sets of U.S. government regulations govern the protection of personal

More information

A De-identification Strategy Used for Sharing One Data Provider s Oncology Trials Data through the Project Data Sphere Repository

A De-identification Strategy Used for Sharing One Data Provider s Oncology Trials Data through the Project Data Sphere Repository A De-identification Strategy Used for Sharing One Data Provider s Oncology Trials Data through the Project Data Sphere Repository Prepared by: Bradley Malin, Ph.D. 2525 West End Avenue, Suite 1030 Nashville,

More information

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

Understanding De-identification, Limited Data Sets, Encryption and Data Masking under HIPAA/HITECH: Implementing Solutions and Tackling Challenges

Understanding De-identification, Limited Data Sets, Encryption and Data Masking under HIPAA/HITECH: Implementing Solutions and Tackling Challenges Understanding De-identification, Limited Data Sets, Encryption and Data Masking under HIPAA/HITECH: Implementing Solutions and Tackling Challenges Daniel C. Barth-Jones, M.P.H., Ph.D. Assistant Professor

More information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 6 I. Policy A limited data set is protected health information that excludes direct identifiers. The UW HCC units may use or disclose a limited data set only for the purposes of public health

More information

Security standards PCI-DSS, HIPAA, FISMA, ISO 27001. End Point Corporation, Jon Jensen, 2014-07-11

Security standards PCI-DSS, HIPAA, FISMA, ISO 27001. End Point Corporation, Jon Jensen, 2014-07-11 Security standards PCI-DSS, HIPAA, FISMA, ISO 27001 End Point Corporation, Jon Jensen, 2014-07-11 PCI DSS Payment Card Industry Data Security Standard There are other PCI standards beside DSS but this

More information

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related

More information

Anonymizing Unstructured Data to Enable Healthcare Analytics Chris Wright, Vice President Marketing, Privacy Analytics

Anonymizing Unstructured Data to Enable Healthcare Analytics Chris Wright, Vice President Marketing, Privacy Analytics Anonymizing Unstructured Data to Enable Healthcare Analytics Chris Wright, Vice President Marketing, Privacy Analytics Privacy Analytics - Overview For organizations that want to safeguard and enable their

More information

HIPAA Privacy Common Questions: Definitions

HIPAA Privacy Common Questions: Definitions Brought to you by Momentous Insurance Brokerage, Inc. HIPAA Privacy Common Questions: Definitions What is a Covered Entity under the HIPAA Privacy Rules? The following organizations are governed by this

More information

HIPAA Compliance for Students

HIPAA Compliance for Students HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits

More information

HIPAA and Clinical Research

HIPAA and Clinical Research To Heal. To Teach. To Discover. HIPAA and Clinical Research 2011 Training Jennifer Edlind, UH Privacy Officer Ryan Terry, UH Information Security Officer 1 Agenda Research credentialing overview HIPAA

More information

Guidance on De-identification of Protected Health Information November 26, 2012.

Guidance on De-identification of Protected Health Information November 26, 2012. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule November 26, 2012 OCR gratefully

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

Perform Covered Entity functions but is not a member of the CE s workforce. Business associates are not covered entities. Business associates are

Perform Covered Entity functions but is not a member of the CE s workforce. Business associates are not covered entities. Business associates are HIPAA Solutions in Outsourcing: Working with Medical Transcription Services as Business Associates Kathy A. Rockel, CMT Consultant Healthcare Documentation Solutions Reston, Virginia KARockel@msn msn.com

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

Memorandum. Factual Background

Memorandum. Factual Background Memorandum TO: FROM: SUBJECT: Chris Ianelli and Jill Mullan, ispecimen, Inc. Kristen Rosati and Ana Christian, Polsinelli, PC ispecimen Regulatory Compliance DATE: January 26, 2014 You have asked us to

More information

Accessing Electronic Health Record Data for Human Subjects Research: Challenges and Solutions August 2, 2012

Accessing Electronic Health Record Data for Human Subjects Research: Challenges and Solutions August 2, 2012 Accessing Electronic Health Record Data for Human Subjects Research: Challenges and Solutions August 2, 2012 Regulatory Challenges and Solutions Mark A. McAndrew, J.D. (Taft) Sara Simrall Rorer, J.D. (Taft)

More information

Malpractice Issues for the Radiologic Technologist

Malpractice Issues for the Radiologic Technologist Malpractice Issues for the Radiologic Technologist Carol Ann Marunich, Esquire Dinsmore & Shohl LLP 215 Don Knotts Boulevard, Suite 310 Morgantown, West Virginia 26501 304-296-1100 X44 2006 Dinsmore &

More information

Principles and Best Practices for Sharing Data from Environmental Health Research: Challenges Associated with Data-Sharing: HIPAA De-identification

Principles and Best Practices for Sharing Data from Environmental Health Research: Challenges Associated with Data-Sharing: HIPAA De-identification Principles and Best Practices for Sharing Data from Environmental Health Research: Challenges Associated with Data-Sharing: HIPAA De-identification Daniel C. Barth-Jones, M.P.H., Ph.D Assistant Professor

More information

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary The Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which became law in February of this

More information

IRB Application for Medical Records Review Request

IRB Application for Medical Records Review Request Office of Regulatory Research Compliance Institutional Review Board FORM B1 : Medial Records Review Application FORM B1 IRB Application for Medical Records Review Request Principal Investigator: Email:

More information

TriageLogic Information Security Policy

TriageLogic Information Security Policy TriageLogic Information Security Policy What is HIPAA, and what information is protected by it? HIPAA, short for the United States Health Insurance Portability and Accountability Act, is a set of standards

More information

HIPAA Compliance Issues and Mobile App Design

HIPAA Compliance Issues and Mobile App Design HIPAA Compliance Issues and Mobile App Design Washington, D.C. April 22, 2015 Presenter: Shannon Hartsfield Salimone, Holland & Knight LLP, Tallahassee and Jacksonville, Florida Agenda Whether HIPAA applies

More information

Violation Become a Privacy Breach? Agenda

Violation Become a Privacy Breach? Agenda How Does a HIPAA Violation Become a Privacy Breach? Karen Voiles, MBA, CHC, CHPC, CHRC Senior Managing Consultant, Compliance Agenda Differentiating between HIPAA violation and reportable breach Best practices

More information

HIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act

HIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act HIPAA Health Insurance Portability & Accountability Act This presentation and materials provided are for informational purposes only. Please seek legal advisor assistance when dealing with privacy and

More information

Big Data: Research Ethics, Regulation and the Way Forward. Tia Powell, MD AAIC Washington, DC, 2015

Big Data: Research Ethics, Regulation and the Way Forward. Tia Powell, MD AAIC Washington, DC, 2015 Big Data: Research Ethics, Regulation and the Way Forward Tia Powell, MD AAIC Washington, DC, 2015 1854 Broad Street Cholera Outbreak Federal Office of Personnel Management Data Breach, 2015 Well-known

More information

De-Identification Framework

De-Identification Framework A Consistent, Managed Methodology for the De-Identification of Personal Data and the Sharing of Compliance and Risk Information March 205 Contents Preface...3 Introduction...4 Defining Categories of Health

More information

Secondary Uses of Health Data IMPAC s Oncology Data Alliance Program

Secondary Uses of Health Data IMPAC s Oncology Data Alliance Program Secondary Uses of Health Data IMPAC s Oncology Data Alliance Program NCVHS August 1, 2007 Joel Goldwein, MD Senior Vice President, Medical Affairs IMPAC Medical Systems Inc. IMPAC Medical Systems, Inc.

More information

What is Covered under the Privacy Rule? Protected Health Information (PHI)

What is Covered under the Privacy Rule? Protected Health Information (PHI) HIPAA & RESEARCH What is Covered under the Privacy Rule? Protected Health Information (PHI) Health information + Identifier = PHI Transmitted or maintained in any form (paper, electronic, forms, web-based,

More information

The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law. It establishes a floor of Federal privacy

The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law. It establishes a floor of Federal privacy The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law. It establishes a floor of Federal privacy protections and individual rights with respect to individually

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Virginia Commonwealth University Information Security Standard

Virginia Commonwealth University Information Security Standard Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

Roadmap. What is Big Data? Big Data for Educational Institutions 5/30/2014. A Framework for Addressing Privacy Compliance and Legal Considerations

Roadmap. What is Big Data? Big Data for Educational Institutions 5/30/2014. A Framework for Addressing Privacy Compliance and Legal Considerations Big Data for Educational Institutions A Framework for Addressing Privacy Compliance and Legal Considerations Roadmap Introduction What is Big Data? How are educational institutions using Big Data? What

More information

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information OCTOBER 2013 PART 1 Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information Part 1: How HIPAA affects electronic transfer of protected health information It is difficult

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

APPENDIX 1: Frequently Asked Questions

APPENDIX 1: Frequently Asked Questions APPENDIX 1: Frequently Asked Questions Practice Name Q: What is the HIPAA Privacy Rule? A: The HIPAA Privacy Rule controls the use and disclosure of what is known as Protected Health Information (PHI).

More information

Data Security Basics: Helping You Protect You

Data Security Basics: Helping You Protect You Data Security Basics: Helping You Protect You Why the Focus on Data Security? Because ignoring it can get you: Fined Fired Criminally Prosecuted It can also impact your ability to get future funding, and

More information

IAPP Practical Privacy Series. Data Breach Hypothetical

IAPP Practical Privacy Series. Data Breach Hypothetical IAPP Practical Privacy Series Data Breach Hypothetical Presented by: Jennifer L. Rathburn, Partner, Quarles & Brady LLP Frances Wiet, CPO and Assistant General Counsel, Takeda Pharmaceuticals U.S.A., Inc.

More information

HIPAA, Research, and the IRB. Michelle Brown, BBA Biomedical IRB Manager

HIPAA, Research, and the IRB. Michelle Brown, BBA Biomedical IRB Manager HIPAA, Research, and the IRB Michelle Brown, BBA Biomedical IRB Manager Agenda Brief History of HIPAA How Did We Get Here? When Does HIPAA Apply to Research? How Do Researchers Access & Share PHI Under

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

HIPAA and You The Basics

HIPAA and You The Basics HIPAA and You The Basics The Purpose of HIPAA Privacy Rules 1. Provide strong federal protections for privacy rights Ensure individual trust in the privacy and security of his or her health information

More information

ENSURING ANONYMITY WHEN SHARING DATA. Dr. Khaled El Emam Electronic Health Information Laboratory & uottawa

ENSURING ANONYMITY WHEN SHARING DATA. Dr. Khaled El Emam Electronic Health Information Laboratory & uottawa ENSURING ANONYMITY WHEN SHARING DATA Dr. Khaled El Emam Electronic Health Information Laboratory & uottawa ANONYMIZATION Motivations for Anonymization Obtaining patient consent/authorization not practical

More information

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable

More information

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set. IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Limited Data Sets and Data Use Agreements 10200 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel

More information

Health Data Breaches: Complying with New HIPAA Notification Rule and Mitigating Damages

Health Data Breaches: Complying with New HIPAA Notification Rule and Mitigating Damages Presenting a live 90-minute webinar with interactive Q&A Health Data Breaches: Complying with New HIPAA Notification Rule and Mitigating Damages Navigating Complex Challenges for Healthcare Data Management,

More information

The Hi-Tech Balancing Act: Securely Walking the Tightrope of Patient Care

The Hi-Tech Balancing Act: Securely Walking the Tightrope of Patient Care WHITE PAPER: THE HITECH BALANCING ACT The Hi-Tech Balancing Act: Securely Walking the Tightrope of Patient Care October 2009 By John McNeely President and CEO Sword & Shield Enterprise Security, Inc. [

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application Health Insurance Portability & Accountability Act (HIPAA) Compliance Application IRB Office 101 - Altru Psychiatry Center 860 S. Columbia Rd, Grand Forks, North Dakota 58201 Phone: (701) 780-6161 PROJECT

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

HIPAA SELF STUDY TRAINING GUIDE

HIPAA SELF STUDY TRAINING GUIDE HIPAA SELF STUDY TRAINING GUIDE I have received the LifeWays HIPAA SELF STUDY TRAINING GUIDE. I understand that I will be accountable for the information contained in the guide. If I have questions I may

More information

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared; Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

Protecting Patient Privacy. Khaled El Emam, CHEO RI & uottawa

Protecting Patient Privacy. Khaled El Emam, CHEO RI & uottawa Protecting Patient Privacy Khaled El Emam, CHEO RI & uottawa Context In Ontario data custodians are permitted to disclose PHI without consent for public health purposes What is the problem then? This disclosure

More information

SECURETexas Health Information Privacy & Security Certification Program FAQs

SECURETexas Health Information Privacy & Security Certification Program FAQs What is the relationship between the Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST)? The THSA and HITRUST have partnered to help improve the protection of healthcare

More information

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done? Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514

More information

VENDOR / CONTRACTOR. Privacy Basics

VENDOR / CONTRACTOR. Privacy Basics VENDOR / CONTRACTOR Privacy Basics Introduction Premera s mission is to provide our customers with peace of mind about their healthcare. This requires that everyone who works with or for Premera (the Company

More information

CancerLinQ Data Quality Management Policies

CancerLinQ Data Quality Management Policies CancerLinQ Data Quality Management Policies I. Introduction CancerLinQ is committed to conquering cancer through appropriate, secure and ethical usage of health information entrusted to the CancerLinQ

More information

University of Cincinnati Limited HIPAA Glossary

University of Cincinnati Limited HIPAA Glossary University of Cincinnati Limited HIPAA Glossary ephi System A system that creates accesses, transmits or receives: 1) primary source ephi, 2) ephi critical for treatment, payment or health care operations

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

GAO PRESCRIPTION DRUG DATA. HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight

GAO PRESCRIPTION DRUG DATA. HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight GAO United States Government Accountability Office Report to Congressional Committees June 2012 PRESCRIPTION DRUG DATA HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance

More information

HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013

HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013 HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013 Presented by: Monica C. Hocum, Esq. and Leia C. Olsen, Esq. Agenda

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

Upcoming OCR Audits for HIPAA Compliance: How Prepared and Confident are Medical Practices and Billing Companies?

Upcoming OCR Audits for HIPAA Compliance: How Prepared and Confident are Medical Practices and Billing Companies? Upcoming : How Prepared and Confident are Medical Practices and Billing Companies? - Presented by NueMD a complete medical billing and practice management software solution company has partnered with Porter

More information

Yale University Open Data Access (YODA) Project Procedures to Guide External Investigator Access to Clinical Trial Data Last Updated August 2015

Yale University Open Data Access (YODA) Project Procedures to Guide External Investigator Access to Clinical Trial Data Last Updated August 2015 OVERVIEW Yale University Open Data Access (YODA) Project These procedures support the YODA Project Data Release Policy and more fully describe the process by which clinical trial data held by a third party,

More information

Data Driven Approaches to Prescription Medication Outcomes Analysis Using EMR

Data Driven Approaches to Prescription Medication Outcomes Analysis Using EMR Data Driven Approaches to Prescription Medication Outcomes Analysis Using EMR Nathan Manwaring University of Utah Masters Project Presentation April 2012 Equation Consulting Who we are Equation Consulting

More information