Category: HIPAA

healthlogo.gifIf the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to give patients more control over their medical records in the electronic age, what does it say if twelve years later we decide we’d prefer Google to manage it for us?

In a recent article in the New York Times, it seems patients are eager to do just that:

The Google record … allows the user to send personal information, at the individual’s discretion, into the clinic record or to pull information from the clinic records into the Google personal file.

The move toward online control and access to personal health information changes the previously static, analog patient record into a dynamic set of data that serves multiple purposes. Our concepts of record management and documentation might have to change as well.

Several news outlets have reported on a new finding published in the New England Journal of Medicine (vol. 357, no. 4, July 26, 2007) regarding the spread of obesity in social groups. The article, "The Spread of Obesity in a Large Social Network over 32 Years," was written by Nicholas Christakis, MD, PhD, and James Fowler, PhD.

Their findings detailed the increased chances of an individual becoming obese if 1. a close friend became obese (57% increase); 2. an adult sibling became obese (40% increase); or, 3. a spouse became obese (37% increase). They also found that persons of the same gender also increased the chances of one obese person influencing another.

The data set used for the study comes from material collected for the Framingham Heart Study that began in 1948. A second cohort of the offspring of the first FHS was established in 1971 and a third cohort of offspring of the second generation began in 2002. The obesity study used only data from 5124 individuals in the second FHS cohort (1971). It tracked the social networks of the people by creating a database of information taken from handwritten administrative tracking sheets used to facilitate follow-ups with each participant. The tracking sheets included family names, relationships, addresses, and at least one close friend as a contact. This social information was not the basis for the Framingham study, but merely an administrative tool to be able to contact someone for their next appointment. The net result was 38,611 observable social networks among the participants.

This study demonstrates two interesting points in regards to archives. First, data collected for one reason can be creatively repurposed at a later time for another reason. This is one of the simplest arguments for retaining records in archives. Records are not kept merely to recreate the transactional nature of institutions and their activities, but instead provide for the use of information for other intentions.

The second point is the fragility of data. The information used to gather the findings was part of a three generation (and counting) study of heart disease. It was available because it was part of an active project that was well-documented. Due to the size of the FHS and its findings, it is likely that the data sets produced will be well-maintained after its conclusion at the National Library of Medicine or elsewhere. However, other data sets with the same potential to be repurposed into new studies are not always as lucky. And, it is likely it will become more precarious for them in the near future.

Issues concerning the privacy of patient and human subject information are part of the archival management process. The Privacy Rule regulations under HIPAA have done little to address the long-term preservation of PHI materials in archives. It is much easier for principle investigators, institutions, and archives to simply destroy the data as a sweeping act of safeguarding. True, there are few alternatives under the current regulations, but it comes at a cost of re-useable information and perhaps at the cost of our own health and well-being.

On my way to Columbus, OH to present on the topic of privacy and medical records, I read several interesting pieces in The Economist (28 April 2007) in a special report on telecoms. One article was particularly interesting and timely given the subject of my presentation. It discussed the current/future applications of RFID (Radio Frequency Identification) technology in health care. Commonly used as Tattle-Tape(tm) to prevent theft from retail stores and libraries, the chips are now the size of bits of powder.

It noted that wireless technologies are not new in medical care – the pacemaker is a machine that can be adjusted wirelessly – but that the trend will be toward ubiquitous integration, including deep inside our own bodies. RFID chips will communicate with other devices in the examination room as well as outside of the doctor’s office to provide a 24/7 health monitoring program. Our cell phones will be the go-between for our body and our physician. We could be blissfully unaware of any changes to our health when our phone rings to notify us we are scheduled for a visit to the family doctor or even providing directions to the nearest emergency room for an evaluation.

But notification is not the only purpose RFID chips and other similar technologies can provide. Smart chips planted near a tumor can wirelessly power up to burn any new cancer cell growth in a particular area. Chips in the digestive tract can measure the absorption of medication and alert the pharmacist to needed changes in dosage and strength.

Today, the question is how do we protect privacy while providing access to information that can move medical advances forward and allow us to better understand historic patterns in public health? In the coming years the question will shift to how do we protect privacy when there is no separation of the patient and their medical record? What happens when a person is not only the subject of study but also the document itself? What will the medical record look like? What exactly will come to the archives?

Currently, HIPAA and the Privacy Rule are trying to balance the issues of privacy protection and research use. Formulated during the rise of the electronic medical record, the legislation and regulation may become as quickly outdated as Zip drives. It will be seen as a solution based on what the needs were, not what the needs will be. The act also presumes a government’s responsibility to its citizens to aid in privacy protection. Yet, in a wirelessly networked world the government-citizen relationship is blurred and the emphasis on geographic location will wane as the demand for information and the privileges afforded by technology will rise.

Perhaps the very technology that scuttles our notion of a medical record will be the solution to privacy and access. Long vilified as a potential breach to privacy, the RFID and similar technologies could be the literal key to access. Those with permission to review medical records or to provide access to others will be the only ones able to gain access to the information. Individuals will be able to opt-in to have their information included in studies or databanks depending on their preferences without the need for patient consent forms each time a researcher submits a proposal to a review board. Perhaps the technology will ultimately give the individual what the HIPAA legislation cannot, immediate control over who can and cannot have access to their medical history.

And of course, there will be a setting to send it all to the archives.

If you are attending the Midwest Archives Conference in Columbus, OH this week, I’ll be giving a talk at the session "Like Navigating through Pea Soup: Privacy Concerns in Academic and Medical Records" on Friday, May 4th at 10:15 am. My talk is titled "Hiding Information or Providing Access to Archives (HIPAA): Protected Health Information in University Archives." It is mostly a review of the Privacy Rule and the different approaches archives take in managing collections with PHI but it also tries to look further ahead to ways we can work with the Privacy Rule based on precedents set in other federally regulated issues (e.g. copyright & IRBs) as a way for us to try and move the HIPAA conversation forward. It is the product of my previously mentioned look at the HIPAA legislation.

I’ve uploaded a copy of the PowerPoint presentation for those who are interested.

img0022.jpg


I have spent the better part of the last week immersed in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule regulation that establishes the minimum Federal standards for safeguarding the privacy of individually identifiable health information.

Mostly I am preparing for a presentation at the Midwest Archives Conference in Columbus Ohio on privacy concerns in academic and medical archives but I am also researching the need for an agreed upon role of the Privacy Rule within this archives project.

Most archives/HIPAA literature has focused on archives that are part of a health science organization or educational institution. The University of Minnesota is a hybrid institution meaning that some parts of the University are regulated by the Privacy Rule (the Academic Health Center) and other parts are not (University Archives). This makes it all the more difficult in determining how best to manage materials that may or may not contain personal health information (PHI) in the archives.

Some interesting key points I have learned so far include:

• The Privacy Rule in HIPAA applies only to covered entities (institutions governed by the Privacy Rule); it does not apply to all persons or institutions that collect individually identifiable health information.

• The Privacy Rule in HIPAA pertains only to PHI created or collected by a covered entity. Personal health information created or collected by a non-covered entity does not have to comply with the Privacy Rule.

• The Privacy Rule does not "pass through" its requirements to business associates (person/entity that provides certain functions or services for a covered entity); instead, it requires, typically by contract with the covered entity, satisfactory assurances to the safeguarding of information.

• De-identified health information is not PHI and thus not protected by the Privacy Rule.

• Enforcement of the Privacy Rule is complaint driven. Covered entities will not be periodically audited or monitored.

Most of this information and more can be found through the resources provided at the HIPAA Resources Page for the Science, Technology & Health Care Roundtable of the Society of American Archivists.


Monthly Entries

History Map

Academic Health Center

University Libraries

The AHC History Project is a collaborative effort between the Academic Health Center and the University Libraries.