Using de-identified health information to improve care: What, how and why
De-identified patient data is health information from a medical record that has been stripped of all “direct identifiers”—that is, all information that can be used to identify the patient from whose medical record the health information was derived. According to the Health Insurance Portability and Accountability Act (HIPAA), there are 18 direct identifiers that are typically present in patient medical records.
These include:
- Names
- Geographic subdivisions smaller than a state (e.g. street address, city and ZIP code)
- All dates that are related to an individual (e.g., date of birth, admission)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web universal locators (URLs)
- IP address numbers
- Biometric identifiers such as fingerprints and voice prints
- Full-face photographic images
- Other unique identifying numbers, characteristics or codes
According to HIPAA, there are 3 acceptable ways to de-identify patient data. The first is the “safe harbor” option, in which all 18 identifiers are removed. The second is the “statistical” option, in which a retained statistician determines which of the 18 identifiers can be maintained without creating greater than a “very small” risk that the data could be re-identified. The third is the “limited data set” technique, in which the organization removes 16 identifiers and protects what remains with special security precautions.
Why is De-identified Patient Data so Important?
e-identified patient data can be used to improve care, estimate the costs of care, and support public health initiatives. Scientists have been doing just this for years. Among many notable examples:
• Harvard researchers used de-identified patient data from electronic health records at Partner’s Healthcare System in Boston to discover previously unknown adverse events associated with diabetes drugs, and to identify cohorts of individuals that were at risk for morbid events ranging from heart attacks to domestic abuse.
• Epidemiologists in Utah used de-identified patient data from VistA, the electronic health record used by the Veteran’s Administration, to help define optimal care strategies for post-traumatic stress disorder, methicillin-resistant Staph aureus and congestive heart failure.
• Nephrologists in Hawaii used de-identified patient data from HealthConnect, the electronic health record by Kaiser Permanente, to improve care-coordination between primary care physicians and specialists for those afflicted with kidney disease.
• Analysts at IMS Health used de-identified data to estimate the economic impact of poorly-controlled asthma.
• Analysts at SDI Health used de-identified data to track prescribing patterns for scarce anti-viral drugs during recent flu outbreaks.
Practice Fusion and De-Identified Patient Data
Because Practice Fusion is growing rapidly and is used by providers in all 50 states, our EHR can be a good source of de-identified patient data…a resource that scientists can use in their efforts to improve the quality of care. After taking proper safeguards and in a manner consistent with the EHR vendors and commercial interests mentioned above, we intend to allow our de-identified patient data to be used for a variety of purposes, not unlike the ones mentioned above.
In fact, we have already begun doing this. During the height of the H1N1 flu epidemic last fall, at a time when vaccine supplies were scarce, Practice Fusion undertook a pilot study in which we used de-identified patient data to identify geographic regions characterized by high numbers of patients that were at high risk for complications from H1N1. We could have easily provided the information to public health officials, who could have used it to distribute vaccines to areas where they were most needed.
Is De-Identified Data the same thing as Protected Health Information?
No. De-identified data is not the same thing as Protected Health Information (PHI). PHI is personally identifiable health information. This is exquisitely sensitive, private, and confidential, and it is covered by the HIPAA Privacy Rule. Practice Fusion is not allowed to share this information and will never do so.
Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs, Practice Fusion