Sharing Data Anonymously With HIPAA-covered Entities

Share this content:
If you are sharing data with other HIPAA-covered entities or those with whom you have a business associate agreement, a range of data can be shared comfortably.
If you are sharing data with other HIPAA-covered entities or those with whom you have a business associate agreement, a range of data can be shared comfortably.

If you are sharing data with other HIPAA-covered entities or those with whom you have a business associate agreement, a range of data can be shared comfortably. But if you are considering information exchange with a non-covered entity—such as a research center—or for quality reporting or analytics, then you have to go through the process of de-identification. 

Options

In ideal circumstances, any data in question leaving the practice is de-identified before it is out of your hands. There are 2 ways to do this. First, you can take a data set and remove 18 identifiers required under HIPAA. These include such identifiers as names, locale, and Social Security, telephone, and fax numbers.  The information is taken from the medical record and placed into a spreadsheet ready for sharing. You can assign a code that enables you to re-identify the information, but it cannot be related to any identifiers in the data.

The second way to de-identify data is through external verification, whereby a third-party vendor with knowledge of making medical information unidentifiable provides certification that there is a low risk that patients could be recognized.

Choose carefully

Cases in which you might want to use a professional for de-identification certification include:

  • Patients with rare conditions. If only 5 people in the a state have a condition, that, along with other information, might be enough to identify him or her.
  • Collaboration with a group of doctors amassing data to evaluate something like quality and then placing this information on the Web. Steven Waldren, MD, director of the alliance for e-health and innovation at the American Academy of Family Physicians, recommends going through a professional any time the data will be made public.
  • When dealing with conditions like sexually transmitted diseases or other sensitive issues.
  • Identifiable age cohorts. For instance, you might have a handful of patients over age 90 who could be re-identified when data like medical condition or region are included.

Depending upon the data being pulled, de-identification may not even be necessary, such as when you provide numbers related to the prevalence or incidence of disease. In these cases, there should be no identifiers to be removed.

You may have to look twice at data collection, for instance, that calls for information on a particular disease and when patients were seen, co-morbidities, and lab data. This will require some work to ensure anonymity.

Page 1 of 2

Related Resources

You must be a registered member of Cancer Therapy Advisor to post a comment.

Sign Up for Free e-newsletters

Regimen and Drug Listings

GET FULL LISTINGS OF TREATMENT Regimens and Drug INFORMATION

Bone Cancer Regimens Drugs
Brain Cancer Regimens Drugs
Breast Cancer Regimens Drugs
Endocrine Cancer Regimens Drugs
Gastrointestinal Cancer Regimens Drugs
Gynecologic Cancer Regimens Drugs
Head and Neck Cancer Regimens Drugs
Hematologic Cancer Regimens Drugs
Lung Cancer Regimens Drugs
Other Cancers Regimens
Prostate Cancer Regimens Drugs
Rare Cancers Regimens
Renal Cell Carcinoma Regimens Drugs
Skin Cancer Regimens Drugs
Urologic Cancers Regimens Drugs