DE-IDENTIFICATION OF PHI UNDER HIPAA 2017 - De-Identification of PHI under HIPAA - Follow the Guidance to Avoid Penalties

Website http://www.mentorhealth.com/control/w_product/~product_id=801094LIVE?ourglocal.com_oct_2017_SEO | Edit Freely

Category protected health information,patient health information,hipaa compliance online,hipaa rules,health information system,hipaa requirements,phi in healthcare,hipaa standards

Deadline: October 15, 2017 | Date: October 16, 2017

Venue/Country: Online, U.S.A

Updated: 2017-09-13 18:36:08 (GMT+9)

Call For Papers - CFP

Monday, October 16, 2017 | 10:00 AM PDT | 01:00 PM EDT

Overview: Today health information needs to be shared more than ever, but how

can that be done most easily within the limits of HIPAA? One way is to de-identify the

information. Once PHI has been de-identified, it is no longer protected under HIPAA

and may be shared freely without limitation. The problem is that it is not easy to

truly de-identify information and if it is not done correctly, the sharing of the

information may be considered a breach that requires reporting to HHS and the

potential for penalties and corrective action plans.

De-identification of Protected Health Information requires removing all eighteen of

the listed identifiers, or anything else that might be used to identify the individual

about whom the information exists. Or you can have an expert certify that the

information is not identifiable. But neither of these is foolproof. You need to look

more closely to be sure the data cannot be identified. You may wish to communicate

with another provider, or with an agency that is not covered under HIPAA, using plain

e-mail, but you want to strip out the name and use a code that both parties

understand. Is that sufficient to allow the use of plain e-mail? You need to run

though some examples and some tests to make sure before you go ahead.

The necessity to consider the context of information is essential, especially when the

information is unique. A staff member may think a photo of an injury has no

identification on it and by itself is not PHI, but if the photo is posted on the staff

member's Facebook page shortly after the incident and it's a small town and everyone

knows whose injury it is, it's been identified by the context. Sometimes you may need

information for research that does not require specific identification of the

individual, but does need some information listed in the eighteen identifiers, such as

Zip code, dates of birth or death, or dates of treatment. In those cases, often

partially de-identified data, known as a Limited Data Set, will suffice, and such data

can be used without obtaining an Authorization or approval by a review board. The

information must still be protected with HIPAA-quality security, but it can be used

for research under a Data Use Agreement.

There are specific steps that you must go through to ensure that if you want to de-

identify PHI, you actually do so properly, and that the resulting information is truly

de-identified and its use or disclosure will not result in a reportable breach under

HIPAA. If you create a Limited Data Set, you need to ensure the proper agreements are

in place and the information is transmitted securely. If de-identification or a

Limited Data Set are not possible, the appropriate Authorizations or approvals must be

in place before sharing the data. This session will explore the concepts and methods

of de-identification and many of the typical questions that arise. Attendees will be

able to go forward with de-identification with greater confidence, and better sharing

of information will be possible.

Why should you Attend: Health information is proliferating and its sharing among

health care providers and researchers is necessary for providing health care services

and advancing essential health care research. But health information protected under

the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is limited in

how it can be shared, and when it is shared, is required to be protected.

In some cases, it may be possible to share the needed information more easily once it

has been properly de-identified. While a risk analysis would indicate the necessity to

encrypt e-mail with Protected Health Information when communicating between providers

over the Internet, for instance, if the information is not identifiable, encryption is

no longer needed. While releasing information for research purposes may call for a

HIPAA Authorization from each patient or approval by review boards and stringent

controls on the information, if the research can be done without the identifying data,

such Authorizations are reviews are not necessary. But truly de-identifying

information is never as simple as it looks. Oftentimes the context of the information

or the uniqueness of information can give away the identity. If you use patient

initials in an e-mail to identify the individual to the recipient, how unique are

those initials? What if the patient's name is Xavier Xanadu -how many individuals have

the initials X. X.? If you see information about eight siblings with the same birth

date and location, you know it's about the famous Octuplets, because that's the only

set of eight you will find.

If information is not properly de-identified and released inappropriately as a result,

it can result in fines and corrective action plans that can reach into the millions of

dollars. The right process needs to be followed to ensure that data that is shared is

shared appropriately, either as identifiable information, as a partially de-identified

Limited Data Set, or as properly de-identified information. This session will review

guidance from the HHS Office for Civil Rights (OCR) and from the National Institute of

Standards and Technology (NIST) about how to properly de-identify health information.

The various needs for de-identified information will be discussed and typical

questions covered in the guidance will be discussed, in order to provide a sound,

defensible basis for an organization's decisions and processes surrounding de-

identification of PHI.

Areas Covered in the Session:

De-identification and its Rationale

The De-identification Standard

Preparation for De-identification

Guidance on Satisfying the Expert Determination Method

Who is an expert, how do experts assess the risk of identification of information,

what are the approaches by which an expert assesses the risk that health information

can be identified, and what are the approaches by which an expert mitigates the risk

of identification of an individual in health information

Guidance on Satisfying the Safe Harbor Method

What are examples of dates that are not permitted according to the Safe Harbor Method,

what constitutes "any other unique identifying number, characteristic, or code" with

respect to the Safe Harbor method of the Privacy Rule, and what is "actual knowledge

that the remaining information could be used either alone or in combination with other

information to identify an individual who is a subject of the information.

Who Will Benefit:

Compliance Director

CEO

CFO

Privacy Officer

Security Officer

Information Systems Manager

HIPAA Officer

Chief Information Officer

Health Information Manager

Healthcare Counsel/Lawyer

Office Manager

Health Care Researcher

Speaker Profile

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek

Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information

privacy and security regulatory compliance services to a wide variety of health care

entities.

Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-

chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup,

and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding

HIPAA and information privacy and security compliance issues at seminars and

conferences, including speaking engagements at numerous regional and national

healthcare association conferences and conventions and the annual NIST/OCR HIPAA

Security Conference in Washington, D.C.

Sheldon-Dean has more than 30 years of experience in policy analysis and

implementation, business process analysis, information systems and software

development. His experience includes leading the development of health care related

Web sites; award-winning, best-selling commercial utility software; and mission-

critical, fault-tolerant communications satellite control systems. In addition, he has

eight years of experience doing hands-on medical work as a Vermont certified volunteer

emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude,

from the University of Vermont and his master’s degree from the Massachusetts

Institute of Technology.

Price - $139

Contact Info:

Netzealous LLC -MentorHealth

Phone No: 1-800-385-1607

Fax: 302-288-6884

Email: supportmentorhealth.com

Website: http://www.mentorhealth.com/

Webinar Sponsorship: https://www.mentorhealth.com/control/webinar-sponsorship/