Home Forums Discussions General Discussion AC Data Ownership/Privacy

Is de-identified data still PHI?
And not sure 'opting out' of use of de-identified data is in the agreement.
Then again how much legalize can one read in a sitting; time to play with the grandkids.

A lot has happened in the past week on this issue. Here are my opinions about where we stand now. Headcase and Koby both bring up legitimate and important points.

The biggest concern expressed in our letter last week was a change in Amazing Charts? privacy policy. The policy went from one in which our information could not be shared without our explicit permission, to one where our data could be used in certain forms without our permission or even without prior knowledge.

We were also upset about the fact that this policy change occurred without explicit notice from the company. The company has acknowledged the latter error and is "taking ownership" of it. Their new communication is part of their plan to clarify company policy in an open and transparent manner.

We don't have the final word on what this policy will be. We will only know that after we have seen the new EULA. Their recent statements indicate to me that we will retain appropriate and important control of our data.

Just to be clear, I never felt that Amazing Charts was violating HIPAA regulations. (While most of us believe that HIPAA is designed to protect patient privacy, it also protects a series of practices that facilitate data sharing. That is a topic for another day).
Our ability to keep control of our data if we left Amazing Charts or if the company folded has also never been in dispute. We have always been promised those rights and I believe we have always continued to retain them. This is not a trivial point: it is an important benefit of using Amazing Charts.

The point of contention has been the company?s ability to use our data in a de-identified fashion for an assortment of purposes. Such use might include worthwhile clinical studies or identifying our CME needs. It could also include sale to pharmaceutical companies for reasons less altruistic but more financially beneficial to the company. We understand that AC has not done this yet, but were concerned that the policy change enabled them to do so. It appears that they have backed-off on that policy, and will now give us the option to ?opt-out? of any data sharing. This includes sharing of de-identified data.
In my opinion, this resolves the issue nicely. If users choose to allow the company to use their data, they can choose to do so. If they do not want to share it (for whatever reason; protection of patient privacy or the belief that the data is their own, to utilize however they choose) then they can choose that route.

I see this as a successful resolution for us, as users, and for our patients. I also believe that it benefits AC, as the company retains a special place in the crowded EMR marketplace. AC is the EMR that most respects the privacy of our patients, as well as data property rights of providers.

The process by which this decision occurred is also significant. This issue was brought to the attention of the company at a meeting of the Clinician Advisory Board (CAB) last month. We pointed out the change in policy, and some of us expressed our concern about the policy itself, and also about the fact that it happened in a less than open fashion. After some weeks of internal discussion at AC, we had another CAB meeting last week. In the interim, a significant but fairly small number of users who felt strongly about the issue made their feelings known to John Squire. Company leadership certainly demonstrated a willingness to listen to our concerns. Some of us expressed our views quite forcefully, and while they did not always agree, they always exhibited a willingness to hear our views. The final decision represents a significant departure from their initial plans; a change which occurred in response to all of our input.

No one should expect me to stop expressing my opinions to AC. In my view, the company has much to do to make this EMR into the product we want it to be. On this particular issue, they have demonstrated a willingness to accept our input, align it with company goals and policies, and create a workable solution. After the initial CAB meeting, John Squire said ?we will fix this? and I believe that he did. This should allay some of the fears that the purchase by Pri-Med and the hire of an executive from Microsoft to run AC would change the culture of the company in a negative way. Jon Bertman?s philosophy of kind capitalism is very much alive at AC.

Amen

I don't see a like button so I'll give a THUMBS UP!

Well written Jon.
In case you did not see Charlie's post or get the email, look here for the company response:
http://us5.campaign-archive1.com/?u=e0a478960b8b851feaa5d448d&id=a792198718&e=

I agree that AC the company has shown that is is still looking out for our best interests. That is indeed rare in today's environment.

I would like to thank Jon for taking a lot of his time working on this. I also think management should be applauded for sitting down and listening to the CAB and others to work this out.

Fortunately, while a lot of talking went into this, except for time, it didn't take a ton of resources.

Imagine what Mr. Squires, Kathleen Repoli, Chris Tremblay and Charlie Schacter and others at Amazing Charts could do if the government would only get out of the way. There is no sitting down and having a productive conversation with them.

OUR PATIENT DATA IS PRIVATE!!!!!!!

As Jon said, this is a great decision for patients and physicians and the best niche for AC in today's market.

We need to shout it from the rooftops to help AC. We're the best!

Well said Jon!

Hopefully the rest of ACUC sees this as an important break through!
Corporate America (Primed) namely John Squires and Charley S actually listened and respected our concerns. Scary! I am not sure how to respond except shock and relief.

John Squires has actually listened from the beginning so I think we are lucky to have an advocate. I must say more so than our current medical director who did not quite understand our concern which was interesting from an MD perspective.

Again this is not to say we are not interested in contributing to studies and furthering medical research. This was about our data and the sweat equity involved in building the data.

Thank you Jon and John!

Pete
Alpine Family Medicine

Back to the technical aspects of this question. Is de-identified data still PHI? From what I've read on the HHS website, the answer appears to be no. Health information has to be linkable to individual patients in order to be considered protected. The question that follows is what makes data linkable to an individual patient. The criteria for de-identification are discussed in the link.

Protected Health Information

The HIPAA Privacy Rule protects most ?individually identifiable health information? held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI)2. Protected health information is information, including demographic information, which relates to:

the individual?s past, present, or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.

For example, a medical record, laboratory report, or hospital bill would be PHI because each document would contain a patient?s name and/or other identifying information associated with the health data content.

By contrast, a health plan report that only noted the average age of health plan members was 45 years would not be PHI because that information, although developed by aggregating information from individual plan member records, does not identify any individual plan members and there is no reasonable basis to believe that it could be used to identify an individual.

The relationship with health information is fundamental. Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI. For instance, if such information was reported as part of a publicly accessible data source, such as a phone book, then this information would not be PHI because it is not related to heath data (see above). If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.

And, about the 'opt-out' question/comment. The opt-out clause is not there now, but Charlie@AC stated in 04/14/2014 Company Update -- EULA / BAA Communication that they will add it.

Thanks for the input Mario, we will be anxiously awaiting the new EULA/BAA version and trust many here will read it carefully.

JamesNT,

Great article.

Leslie,

Thank you!!

JamesNT

Hi Nancy. Sorry about your issues. How is it coming along? I have been trialing 6.6.5, but not in production; so I can't really test it in a work environment.

I am not sure how software or an application would burn out your modem. And, also how to explain how it would allow viruses to get in, although anything is possible. Some malware can move from computer to computer, which is why all computers should have up to date antivirus programs that are up to date. It is also important that the moment you detect a virus, you should isolate that computer from the network. Then use a variety of anti-malware programs to eradicate it. The issue is the famous, "Once infected, always suspected." But, I would think at this point the slow computer(s) would be due to the viruses and not AC. Have you fixed it yet? Good luck.

David, this would be quite easy to do with most firewalls. The problem is while AC could not get in, the information they rely on (phoning home) would not get out, and they would quickly know they had been blocked. Blocking AC would have a lot of other benefits such as using extra doctors, but not allowing AC to see the licenses.

I can't recall if it is in the EULA or on the AC site, but for those who do not have Internet access, can get a special exemption, but they have to "check in" every quarter or so.