Protecting Patient Privacy re new HIPAA rules

Article: Student Nurses Pose HIPAA Challenges: De-Identification, Minimum Necessary

http://www.aishealth.com/Compliance/Hipaa/RMCStudentnurses.html

The student nurse proudly placed the patient's chart in the overhead projector as she continued her presentation to the class. She had remembered to white out the patient's name, but all other identifying information remained: address, age, etc.. One of the students in the class recognized the address; it was her ex-boyfriend's house. The age matched. Hmmm, she thought. Interesting. I guess Sammy's been hitting the bottle hard. He's got cirrhosis of the liver.

There goes another privacy breach, this one caused by the failure of the student nurse to de-identify protected health information so it isn't protected health information anymore. The HIPAA privacy regulation has specific guidelines on stripping PHI so it can be used for purposes, such as teaching and research, outside the normal realm of treatment, payment and operations. While it seems simple - covered entities must remove revealing information from PHI so the patient can't be identified - there are some aspects that could make it a compliance albatross.

"Don't be fooled by the broad-brush concept of de-identification. It is much more complex," says privacy official Jim Passey of Valley Health System in California. "It's a big sleeper issue."

Student nurses are one example of two related but different HIPAA compliance challenges: making sure protected health information is "de-identified" according to the HIPAA regulation, and. ensuring clinicians and others have access only to the minimum necessary amount of PHI to get their work done. The de-identification rule basically says you can disclose PHI for reasons outside of treatment, payment and operations only if, essentially, it is no longer PHI because you followed the HIPAA safe harbor and stripped it of 19 identifying data elements. The minimum necessary rule says some PHI access will be determined on a sweeping, job-category basis, while other PHI access will be decided on a case-by-case basis according to your policy and procedure.

When are student nurses a de-identification issue under HIPAA? When nurse training programs are being conducted by contract with a community hospital (i.e., a non-teaching facility). "Student nurses come in and perform on-the-job training in the hospital, but the majority of the class work is done in a community college or four-year institution that is in no way connected with the hospital other than to provide, by contract, a workplace for nurses to get some hands-on training. That would be a privacy problem since there is no way for the control of disclosures to take place in a classroom setting," Passey says.

Many hospitals affiliate with nurse training or mentoring programs. These nurses-in-training shadow other nurses and assist with patients, but their affiliation is with the nursing school. Class assignments often call for medical record documentation, so student nurses will make copies of records - often without de-identifying them, Passey says. Or student nurses may try to get the medical records department to hand over patient records. "Student nurses are taking records to talk about generic clinical care issues. It doesn't matter who the patient is. They just want to say 'here is the scenario, here is the condition, here is how it is documented.' They don't need the name, address, phone number and Social Security number," he says. "They get so caught up in the academics that they forget about privacy."

Academic Medical Centers a Different Story

But student nurses at hospitals affiliated with medical schools or nursing schools may be a different story. Their clinical work probably falls under HIPAA's general allowance for clinicians to access protected health information for payment, treatment and operations, says attorney Brian Gradle. Health care operations includes conducting training programs in which students, trainees or practitioners in the health care field learn under supervision to practice or improve their skills as health care providers. "Consequently, as long as a provider (e.g., a hospital) has obtained the standard consent from a patient and has a sufficient privacy notice, it can use the patient's medical records for such training."

But, he says, hospitals and other covered entities must comply with the "minimum necessary" standard. That means the covered entity must make reasonable efforts to limit the use of the PHI to the minimum necessary to accomplish the intended purpose. The HIPAA guidance released by HHS this past summer says that "minimum necessary" is to be determined in an approach consistent with the best practices and guidelines already used by many providers to limit the unnecessary sharing of information, Gradle says.

"Regarding medical trainees, the guidance states that covered entities can shape their policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patient information, including entire medical records.ÿI would interpret this to mean that while the trainee can have access to the medical information, access to the patient identifying information should be limited to the extent appropriate," he says.

Distinguishing the de-identification and minimum necessary requirements may seem like a tough call sometimes, especially with regard to student nurses. "Some people will be confused by the minimum necessary rule and de-identify the information completely, rather than give the minimum necessary to satisfy the research needs," says consultant Errick Woosley. "Covered entities should also remember that this release is not required by law and does not meet the requirements for a safe harbor since not all 19 elements are removed. Therefore, an authorization for the release of the information must be obtained from the patient prior to the release of the information."

'Appropriate' Person Must OK De-identification

Another unanticipated challenge with de-identification: HIPAA has strict rules on who gives the stamp of approval that patient information has been adequately de-identified. "People are struggling to decide who should be keeper of the records," says Woosley. "It has to be someone who has the authority to oversee and maintain compliance [with the requirement], which means it has to be someone who has the authority to sanction individuals who might release information that was not de-identified." He figures it will probably be the privacy officer.

The HIPAA privacy regulation says health information that "identifies" an individual is subject to the HIPAA privacy standard. Consequently, health information that does not identify an individual, and with respect to which there is no "reasonable basis" to believe that information can be used to identify any individual, is not subject to the privacy standard.

There are two mechanisms that allow covered entities to declare that PHI is not individually identifiable, the HIPAA rule states. They are:

-- A person with appropriate knowledge and experience, applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, determines and documents that the risk is "very small" that the information (either alone or in combination with other reasonably available information) could be used to identify an individual; or

-- The following 18 identifiers are removed regarding the individual, relatives, employers or household members:

(1) Names

(2) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if, according to current Census data, (a) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and (b) the initial three digits of a zip code for all geographic units containing 20,000 or fewer people is changed to 000

(3) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

(4) Telephone numbers

(5) Fax numbers

(6) Electronic mail addresses

(7) Social Security numbers

(8) Medical record numbers

(9) Health plan beneficiary numbers

(10) Account numbers

(11) Certificate/license numbers

(12) Vehicle identifiers and serial numbers, including license plate numbers

(13) Device identifiers and serial numbers

(14) Web Universal Resource Locator (URL)

(15) Internet protocol (IP) address number

(16) Biometric identifiers, including finger or voice prints

(17) Full face photographic images and any comparable images

(18) Any other unique identifying number, characteristic or code.

Also, the covered entity cannot have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information.

-