Privacy
Comments on the Proposed Modifications to Standards for Privacy of Individually Identifiable Health Information
To the Office of the Secretary
Department of Health and Human Services
submitted by the Massachusetts Health Data Consortium, Inc.
April 26, 2002
Our comments focus on the Massachusetts Health Data Consortium's (the Consortium) work as a Health Data Organization since 1978, in support of the research needs of our public, academic and private member organizations (hospitals, insurers, purchasers, labor, consumer groups and physician groups along with other health care professionals).
The Consortium's activities also include promoting awareness of HIPAA and the privacy regulations through the Privacy Resource Center on our web site: www.mahealthdata.org and at educational events.
The Consortium will facilitate the on-time implementation of the final privacy rule through the Consortium's Privacy Officers' Forum (comprised of chief privacy officers from Massachusetts hospitals, health plans, and other covered entities) who meet on a regular basis. To date, the Privacy Officers Forum has discussed practical, reasonable and appropriate approaches to topics such as consent, authorizations, business associate agreements by covered entities, chain of trust, minimum necessary, state preemption, and accreditation organizations' approach to business associate agreements.
In preparing these comments the Consortium staff is indebted to the Consortium's Board of Directors, our Privacy Officers Forum, the Academy for Health Services Research and Health Policy, the Coalition for Health Services Research and the Association of American Medical Colleges.
General Comments
The Consortium is pleased that the Secretary is willing to make the regulation more workable for health services researchers and state-level not-for-profit, as well as government health data organizations. The proposed modifications have addressed our concern that health services researchers were going to have difficulties in gaining access to data needed and appropriate for their approved research.
We believe that the federal regulations should set the parameters and severe penalties for misuse of protected health information.
The following comments are related to our mission to collect, validate and disseminate comparative health data as a private, non-profit, health data organization since 1978.
We support the wording of the regulation, which permits disclosure to government officials (164.512) such as the Massachusetts Division of Health Care Finance & Policy whose mission is to improve the delivery and financing of health care and to support the state's health care reform efforts. This MA state agency provides information about the efficiency and effectiveness of the state's health system, which is necessary for public accountability and for making informed decisions.
Minimum Necessary Requirement
The Consortium is pleased that the revised preamble of the proposed modifications now provides an explicit statement in the regulation making it clear that the covered entity will not be held liable for the minimum necessary standard if the release of information was based upon the approval of an IRB/PB.
The Consortium supports the judgment in the preamble that further clarification of the minimum necessary standard may be needed if the modifications do not resolve the issue of covered entities unwillingness to release information to health services researchers based upon their understanding of the minimum necessary standard.
Uses and Disclosures of Protected Health Information for Research Purposes
Private, non-profit, health data organizations, such as the Massachusetts Health Data Consortium, have a long history of collecting, validating and disseminating health data for the same functions of governmental health systems (i.e. in support of policy, planning, regulatory &/or management functions).
We disagree with the elimination of government health systems from the final regulations and believe that the following section should be reinstated into the final rule:
"Disclosures and uses for governmental health data systems. Permitted disclosures: A covered entity may disclose protected health information to a government agency, or private entity acting on behalf of a government agency, for inclusion in a governmental health data system that collects health data for analysis in support of policy, planning, regulatory, or management functions authorized by law.
Permitted uses: Where a covered entity is itself a government agency that collects health data for analysis in support of policy, planning, regulatory, or management functions, the covered entity may use protected health information in all cases in which it is permitted to disclose such information for government health data systems."
Furthermore, we propose that DHHS expand the definition of permitted disclosures for public health activities in Section 164.512(b)(i) to include: "improving the efficiency of the health system."
De-identification of Protected Health Information for Research Purposes
1. Re-categorizing the 18 Elements:
First, the statistical method of de-identification as described in the final regulation is ambiguous. Because of this ambiguity, it is unlikely to be used even by experienced health data organizations, like the Massachusetts Health Data Consortium, to de-identify information. Second, removing the 18 items listed in the regulation for information to be considered as de-identified rendered the information not useful for most health services research projects. For these reasons, the Consortium appreciates the acknowledgment of DHHS that "the Privacy Rule's de-identification safe harbor was not designed to be used for research purposes."
The Consortium agrees that the list of items that can remain on a "restricted/limited data set" of de-identified information for researchers should include the information listed in the preamble including:
Admission, discharge, and service dates by month and year
Date of death
Month and year of birth
Age (including age 90 or over)
Five-digit zip code
2. The Value of Zip Codes for Health Services Research:
In addition to the five-digit zip code, in some cases health data organizations and health services researchers believe that having access to other geographic units smaller than states, such as city, county, precinct, neighborhood or other such information will help with population and other small area studies.
Health data organizations and health services researchers need to be able to access meaningful, "non-facially identifiable" data (i.e. stripped of direct identifiers) such as that described within the preamble of the proposed modifications to the regulation without having to go through the full IRB/PB review process.
Our health data organization has used and disclosed zip code level data for 24 years for small geographic area variation studies, market share analyses, patient migration studies, calculations of the Herfendahl index (a Federal Trade Commission measure to test market concentrations), and to determine whether the rates of services to communities show under or over-utilization. Other prominent research, such as the Dartmouth Atlas on Health Care, would also be affected by removal of zip codes.
The Massachusetts Health Data Consortium has also collaborated with health services researchers resulting in over 40 peer-reviewed studies, many of which use zip codes.
For a listing of the Consortium's studies citing data by subject:
Studies Using MHDC Data - by Subject
For a listing of the Consortium's studies citing data by author:
Studies Using MHDC Data - by Author
3. The Costs of De-Identification:
Clarification is needed as to whether covered entities must de-identify protected health information when used continuously over time by them for treatment, payment, and/or health care operations.
The costly process of de-identification for covered entities could lead to duplicate internal systems, inhibit the activities of Auditors (many years after patient discharge) or researchers who use archived files. Without these identifiable data sets, research (e.g. for Gulf War Veterans, Agent Orange exposures, Tuscaloosa syphilis studies) could not have been completed.
De-identification should be required only when disclosing protected health information to entities that are NOT health data organizations, nor business partners. Covered entities should not have to de-identify their own data - even when archived.
When data are collected at the point of service, we cannot anticipate every future application, but a "chain of trust" (from providers, insurers, and external users) can ensure that data are protected.
Once identifiers and/or keys are lost, misplaced or destroyed, record linkage would be extremely difficult, expensive and pose great harm to medical research.
4. Restricted/Limited Data Set - Data Use Agreements as a suggested approach to disclosure and Sanctions:
One technique to simplify this section would be to re-categorize the list of 18 elements with a requirement for prior written Data Use Agreements between the covered entity and any recipient with a stipulation that the information (and the specific elements disclosed) will not be used "alone or in combination with other information (i.e. health or non health care linkable data sets) to identify or re-identify an individual."
Our private data organization already works closely with hospitals, other providers and public agencies under such agreements.
Data Use Agreement Reference: The Massachusetts Division of Health Care Finance and Policy is an example for the DHHS, for their Data Use Agreements which control dissemination of protected health information through regulations for allowing different levels of access to inpatient hospital discharges. All users of the Division's data must sign comprehensive agreements not to identify individuals.
Examples of these agreements can be found on the Division's web site: www.state.ma.us/dhcfp under the Division's regulation (114.5 CMR 2.03) "Procedures for applying for PHI" as well as the Division's regulation (114.5 CMR 2.05) on "Sanctions."
To further reinforce the value of Data Use Agreements, I am pleased to report that in 24 years, there has never been any direct or indirect release, by the Consortium, of data identifying a patient. Furthermore, the Consortium has never been accused of a breach of any of our data use agreements with public and private entities while handling millions of sensitive patient records.
Submitted by:
State health data organization
Elliot M. Stone
Executive Director and CEO
Massachusetts Health Data Consortium, Inc.
460 Totten Pond, Suite 385
bWaltham, MA 02451 | 
