Protecting patient data: Beyond EHR systems

Robert A. Dowling, MDIn my past two columns (See: urologytimes.com/privacy-series), I have reviewed the sensitive nature of protected health information, the role of medical practices as stewards of that information, the contribution protected health information makes to the larger problem of identity theft in this country, and what urology practices can do to prevent breaches generally. 

Recommended: How to safeguard your patients’ information

There are a number of primary systems in a urology practice where protected health information can be exposed: electronic health records, practice management systems, and others. In this final installment in a series on privacy and security concerns, I will discuss issues related to secondary use of data derived from those primary systems. 

Federal, state, foreign laws apply to data

If you have used, or are considering using, data/analytics derived from patient care activities for another purpose beyond direct patient care, there are a number of things to consider. First, there is a patchwork of federal, state, and foreign laws and regulations that apply to health care information. While many are familiar with HIPAA, HITECH, and the HIPAA Privacy Rule and Security Rule, rules from other federal agencies, including the Federal Trade Commission, also can apply.

State laws regarding privacy, data security, and breach notification are often broader in coverage and scope than HIPAA. State laws can be much more restrictive on use of data for marketing and sales-with those terms defined broadly. Patient authorization for use of data can be different or more stringent in certain states, and the penalties for violations or breaches different. Finally, some practices may be subject to foreign laws and regulations that extend to cover foreign citizens’ data when care occurred in the United States.

Also read: Business of urology is more than just A/R, RVUs

There are other considerations for use of medical data beyond the legal issues. Moving data from one system to another in a reliable, repeatable process is a logistical challenge that typically involves professional people and processes that are complex and error prone. Data in transit and data at rest create opportunities for breaches and may leave information exposed to missed security policies and cleanup activities.Encrypting and securing data once it has left a source system must conform to certain standards.

Data quality (or lack thereof) can be a very important concern if the secondary use of data is for patient care. Is the data complete, accurate, and contemporary? The integrity, privacy, and security of the data may impose different requirements depending on whether it is to be used for research, marketing, quality improvement, benchmarking, or commercial purposes.

NEXT: De-identifying data

De-identifying data

De-identification is another consideration for secondary use of protected health information for most (not all) purposes. There are two methods recognized by HIPAA for de-identification-a safe harbor method involving the removal of 18 identifiers and an expert certification method. In the second method, a third party renders a determination that the risk is very small that a patient who is the subject of the information could be identified-alone or in combination with other information. This is a new and burgeoning area of business and legal activity, but the concern for practices who may consider de-identifying their data is potential liability should a patient be identified-especially if those data are being aggregated by a party with access to other health care data sets.

You might also like: How ICD-10 is changing how you do Dx coding

Finally, there are other legal and compliance issues. A practice considering “selling” its data directly or indirectly may invoke Sunshine Act reporting requirements when dealing with a pharmaceutical company. Physicians and those purchasing from physicians will need to be versed in fair market value concepts, and perhaps even engage a valuation firm.

Bottom line: Physician practices are the stewards of highly confidential information, and with that comes the responsibility to carefully safeguard that information. Protected health information is generated and stored in primary systems that have their own vulnerabilities. As you consider secondary uses of this information, remember the complicated framework within which you operate to gain any benefit and avoid risk.