De-identified data (Healthcare Big Data) has the power to leverage past utilization, outcomes, trends, and experience to project many outcomes. This layered over a blockchain technology for security, speed and decentralization combined with machine learning (MEDICAL AI) could hold the keys for million of answers and provided much-needed insight to many questions not available with easy access today!
Imagine the possibilities:
Science & Research
- large-scale medical research studies
- policy assessments
- comparative effectiveness studies,
- past CPT codes that end up statistically in a new modality
- drug interaction based on history
Business & Corporate
- You can track your company’s health plan performance in various regions.
- You can track which medications are being prescribed in a particular area to get public-health early warnings.
- You can track customers’ buying habits and which types of customers respond best to specific interventions
And the list goes on…..and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed
Is this deidentified legal?
HIPAA-Compliant De-identification of Protected Health Information
HIPAA-compliant de-identification of protected health information is possible using two methods: Safe Harbor and Expert Determination. Neither method of de-identification of protected health information will remove all risk of re-identification of patients, but both methods will reduce risk to a very low and acceptable level. Use either of the two methods below and PHI will no longer be considered ‘protected health information’ and will therefore not be subject to HIPAA Privacy Rule restrictions.
1. Safe Harbor – The Removal of Specific Identifiers
The first HIPAA compliant way to de-identify protected health information is to remove specific identifiers from the data set. The identifiable data that must be removed are:
- Geographic subdivisions smaller than a state
- All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age)
- Telephone, cellphone, and fax numbers
- Email addresses
- IP addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Device identifiers and serial numbers
- Certificate/license numbers
- Account numbers
- Vehicle identifiers and serial numbers including license plates
- Website URLs
- Full face photos and comparable images
- Biometric identifiers (including finger and voice prints)
- Any unique identifying numbers, characteristics or codes
In the case of zip codes, covered entities are permitted to use the first three digits provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals. When that geographical unit contains fewer than 20,000 individuals it should be changed to 000. According to the Bureau of the Census, that means 17 zip codes must have the first three digits changed to zero:
036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831
Covered entities should not that the above list of zip codes may change after future censuses. The list is based on 5-digit zip codes from the 2000 census.
For further information on de-identification of protected health information using the safe harbor method see 45 CFR § 164.514(b)(2).