HIPAA and De-Identification of PHI — Sometimes Required, Never Easy

Webinar Details

Speaker

Jim Sheldon Dean

Industry

HIPAA and Compliance Conference

Speciality

HIPAA and Compliance Conference

Available

All Days

Duration

90 Minutes


Registration Options

Choose Your Options

Save $20 - [ HEALTHCPTI ]

Error Conference Exists In Wish-list.

Congrats Conference Added In Wish-list.



Need Corporate Discount ?

Find More Webinars Of : HIPAA and Compliance Conference

  • * For more than 6 attendee call us at +1-800-803-7592 or mail us at cs@conferencepanel.com
  • * For Check and ACH payment call us at +1-800-803-7592 or mail us at cs@conferencepanel.com
  • * Click to download the Order Form

Description

Health information is afforded all kinds of protections under the HIPAA regulations but once the information is de-identified, it is no longer protected under HIPAA and can be used or disclosed without limitation. The problem is, de-identification of PHI is harder than it seems. Even if all the identifiers listed in the rules are removed, the context of information and other external factors can reveal the identity of the subject. Following the guidance provided by HHS and the National Institute of Standards and Technology (NIST) is essential to avoid inappropriate disclosures that may reveal a patient's identity and result in fines.

In some cases, it may be possible to share the needed information more easily once it has been properly de-identified. While releasing information for research purposes may call for HIPAA Authorization from each patient or approval by review boards and stringent controls on the information, if the research can be done without the identifying data, such Authorizations are reviews are not necessary.

But truly de-identifying information is not a simple or foolproof process. Oftentimes the context of the information or the uniqueness of information can give away the identity. If information is not properly de-identified and released inappropriately as a result, it can result in fines and corrective action plans that can reach into the millions of dollars. The right process needs to be followed to ensure that data that is shared is shared appropriately, either as identifiable information, as a partially de-identified Limited Data Set, or as properly de-identified information.

Session Highlights

  • De-identification and its Rationale
  • The De-identification Standard
  • Preparation for De-identification
  • Guidance on Satisfying the Expert Determination Method
  • Who is an expert
  • How do experts assess the risk of identification of information
  • What are the approaches by which an expert assesses the risk that health information can be identified
  • What are the approaches by which an expert mitigates the risk of identification of an individual in health information
  • Guidance on Satisfying the Safe Harbor Method
  • What are examples of dates that are not permitted according to the Safe Harbor Method?
  • What constitutes "any other unique identifying number, characteristic, or code" with respect to the Safe Harbor method of the Privacy Rule
  • What is "actual knowledge that the remaining information could be used either alone or in combination with other information to identify an individual who is a subject of the information."

Key Points

Today health information needs to be shared more than ever, but how can that be done most easily within the limits of HIPAA?  One way is to de-identify the information. Once PHI has been de-identified, it is no longer protected under HIPAA and may be shared freely without limitation. The problem is that it is not easy to truly de-identify information and if it is not done correctly, the sharing of the information may be considered a breach that requires reporting to HHS and the potential for penalties and corrective action plans.

De-identification of Protected Health Information requires removing all eighteen of the listed identifiers, or anything else that might be used to identify the individual about whom the information exists. Or you can have an expert certify that the information is not identifiable. But neither of these is foolproof. You need to look more closely to be sure the data cannot be identified.

Sometimes you may need information for research that does not require specific identification of the individual but does need some information listed in the eighteen identifiers, such as Zip code, dates of birth or death, or dates of treatment. In those cases, often partially de-identified data, known as a Limited Data Set, will suffice, and such data can be used without obtaining Authorization or approval from a review board. The information must still be protected with HIPAA-quality security, but it can be used for research under a Data Use Agreement.

There are specific steps that you must go through to ensure that if you want to de-identify PHI, you actually do so properly and that the resulting information is truly de-identified and its use or disclosure will not result in a reportable breach under HIPAA. If you create a Limited Data Set, you need to ensure the proper agreements are in place and the information is transmitted securely. If de-identification or a Limited Data Set is not possible, the appropriate Authorizations or approvals must be in place before sharing the data.

This session will explore the concepts and methods of de-identification and many of the typical questions that arise.  Attendees will be able to go forward with de-identification with greater confidence, and better sharing of information will be possible.

Why Should You Attend

This session will review guidance from the HHS Office for Civil Rights (OCR) and from the National Institute of Standards and Technology (NIST) about how to properly de-identify health information. The various needs for de-identified information will be discussed and typical questions covered in the guidance will be discussed, in order to provide a sound, defensible basis for an organization’s decisions and processes surrounding the de-identification of PHI.

This session will explore the concepts and methods of de-identification and many of the typical questions that arise. Attendees will be able to go forward with de-identification with greater confidence, and better sharing of information will be possible.

Who Should Attend

  • CEO
  • HIPAA Privacy Officers
  • HIPAA Security Officers
  • Information Security Officers
  • Risk Managers
  • Compliance Officers
  • Privacy Officers
  • Health Information Managers
  • Information Technology Managers
  • Information Systems Managers
  • Medical Office Managers
  • Chief Financial Officers
  • Systems Managers
  • Chief Information Officer
  • Healthcare Counsel/lawyer
  • Operations Directors
Jim Sheldon Dean
Jim Sheldon Dean

(Principal and Director of Compliance Services)

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.  He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Sheldon-Dean has more than two decades of experience specializing in HIPAA compliance, four decades of experience in policy analysis and implementation, business process analysis, information systems, and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician.  Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Registration Options

Choose Your Options

Save $20 - [ HEALTHCPTI ]

Error Conference Exists In Wish-list.

Congrats Conference Added In Wish-list.


Need Corporate Discount ?


  • * For more than 6 attendee call us at +1-800-803-7592 or mail us at cs@conferencepanel.com
  • * For Check and ACH payment call us at +1-800-803-7592 or mail us at cs@conferencepanel.com
  • * Click to download the Order Form
Jim Sheldon Dean
Jim Sheldon Dean

(Principal and Director of Compliance Services)

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.  He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Sheldon-Dean has more than two decades of experience specializing in HIPAA compliance, four decades of experience in policy analysis and implementation, business process analysis, information systems, and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician.  Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.