Protecting Geocoded Health Data

With the passage of the Health Insurance Portability and Accountability Act (HIPAA), organizations that collect personal health information will have new responsibilities and greater accountability. HIPAA became law on October 16, 2000. This is the first of many regulations aimed at protecting the rights of patients. It requires most health organizations to have had fully implemented safeguards in place no later than October 16, 2002.

HIPAA regulations impact health providers, health insurers, health data clearinghouses, and all business partners who have access to "identifiable" patient information by virtue of their business relationship. HIPAA regulations apply to both public and private organizations that are referred to in the act as "covered entities." These covered entities include hospitals, public and private health plans, and public health organizations.

HIPAA rules, in an attempt to clarify what constitutes personal "identifiable" information, define data items such as a street address, ZIP Code, or an "equivalent geocode" as identifiable information that is subject to "de-identification." These new rules also define identifiable as any information that would allow a third party to reidentify an individual directly or indirectly without access to a code or key.

However, there are extensive exemptions if the covered entity or its agent (business partner) must use identification information for treatment, payment, research, or national priority activities that are carried out in the interest of public health and safety. Situations that allow the use of identification information include the following:

• Treatment and payment activities by caregivers who need to know this information to submit or adjudicate a claim for payment
• Health care operation activities that improve the quality and effectiveness of medical care and its delivery
• Public health and safety activities related to emergencies, law enforcement, judicial, or administrative proceedings

Another important provision defines a covered entity's business partner. A business partner is any organization that a covered entity relies on in carrying out any or all of its activities. Business partners will be accountable to the covered entity for any subsequent use or disclosure of identifiable information.

Additional exemptions give public health organizations some leeway in implementing these new regulations. These exemptions are related to preventing or controlling disease and reporting child or adult abuse. The greatest impact of HIPAA on public health organizations has been the requirement to develop and promulgate enterprise-wide policies for the use and disclosure of identifiable health information. Public health associations and groups formulated model policies that can be adopted on a wider scale.

HIPAA regulations appear to contain broad exemptions for organizations that conduct research, such as universities, drug companies, and practice standards and medical practice review organizations, provided that these organizations establish institutional review boards for determining protocol and compliance with any waiver for disclosure.

HIPAA regulations preempt state laws covering the same activities only when states do not have laws and regulations that provide safeguards, prohibitions, and penalties that meet or exceed the federal regulations. HIPAA sets forth a civil penalty of $25,000 for each standard that is violated during a calendar year. These standards stipulate that a covered entity

• May not use or disclose an individual's protected health information except as otherwise exempted.
• Must make all reasonable efforts to use or disclose minimal personal identifiable health information.
• Must allow individuals to request that uses or disclosures of protected information for treatment, payment, or health care operations be restricted.
• May not release a "key" that would allow de-identified personal health information to be reidentified. HIPAA regulations provide for access to identifiable information for the purpose of creating de-identifiable information.

When does protection of identifiable information begin? The act states that protection of personal identifiable information begins as soon as any identifiable information is entered into an electronic system and continues for as long as the covered entity maintains that information or until two years after the date of death of the identified individual, unless otherwise prohibited. The Department of Health and Human Services has added paper records through amendments to the existing regulations.

Here is a test for the applicability of HIPAA rules to an organization. Protected health information must be connected to a specific individual. If covered entities such as health providers, health plans, or health service organizations have personal identifiable information linked to administrative, financial, or clinical information, they are subject to these rules regardless of the physical location of the linked information. On the other hand, organizations with de-identified personal health information are probably not subject to the HIPAA requirements for individual protection.

To be considered de-identified, the name, address, or other identifying information has been removed so that, by itself or in combination with any other piece of information maintained by the organization, it cannot be reidentified with an individual. Another loosely defined provision of the act allows covered entities that have "appropriate statistical capabilities" to retain certain identifiable data if the probability of unintentionally reidentifying individuals is very low.

Here are some things a health organization might do to meet the HIPAA standards:

• Determine the identifiable data in the organization—not just the data currently maintained but also data that will be collected in the future.
• Enter into binding covenants with the business partners that handle or otherwise have access to protected data.
• Explore methodologies for the de-identifying data that retain critical spatial information but prevent unintentional reidentification.
• Geocode all addresses at the point of collection by using a real-time address management and geocoding system.
• Draft a data use and disclosure policy that describes and prescribes the use, handling, and disclosure of personal identifiable information. In this policy, address how geographic specificity will be preserved without compromising personal protection mandated by HIPAA.
• Develop a sound method for evaluating how well personal identifiable data is being protected. Use statistical methods to estimate the probability that individuals will be unintentionally reidentified. This process should help covered entities determine how much identifiable information can be retained while still meeting the standards for appropriate use of personal health information as permitted by HIPAA regulations. Techniques such as data disclosure scoring (DDS) should be explored to aid in describing the risk of reidentification.
• Use GIS to study and validate policies regarding unintentional reidentification. Create maps illustrating the dispersion of individuals within selected demographic identifiers such as age groups, sex, and race. Identify the data elements that can be disclosed geographically without compromising individual identification.
• Create a data use and disclosure plan (DUDP) that clearly describes the various ways the organization is using and disclosing health information that is derived from personal health information. The DUDP should outline how identifiable data is accessed and used across the enterprise and provide descriptions of the process used for de-identifying data.

There will continue to be a great deal of information forthcoming from provider associations, law firms, consulting organizations, and software and hardware vendors concerning the impact of HIPAA regulations on covered entities and business partners. Several Web sites provide actual regulations briefings and white papers at no charge.

Information available at Healthcare Information and Management Systems Society (HIMSS) was reviewed in preparing this column.