MedBlogs and HIPAA
The section of HIPAA that appears to apply to medical bloggers is as follows:
WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
SEC. 1177.
(a) OFFENSE.--A person who knowingly and in violation of this part--
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).
(b) PENALTIES.--A person described in subsection (a) shall--
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
The most important question seems to be "how is Individually Identifiable Health Information (IIHI) defined or interpreted?"
As best I can determine, IIHI is information that can actually link a patient to health information, or which can actually identify an individual or provide a reasonable basis for identifying the individual.
So what are the minimum requirements for bloggers to de-identify patient information and remain in compliance with this statute? The long version is here, but I'll give an overview of the criteria that seem to apply to bloggers.
The following information must be removed:
Based on my interpretation of this, I'm not certain that non-anonymous bloggers should present medical cases at all unless the cases are radically altered or very generalized. If it is known that a physician, nurse, or other healthcare worker practices at a certain facility, for example, then the second requirement seems to be violated. Similarly, posts stating that a certain patient event occurred "last night" or "last week" seem to be in violation. I think "recently" would probably seem to be vague enough.
I'm certainly not an attorney and I'm probably misinterpreting the rule, but it seems like something we should discuss.
WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
SEC. 1177.
(a) OFFENSE.--A person who knowingly and in violation of this part--
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).
(b) PENALTIES.--A person described in subsection (a) shall--
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
The most important question seems to be "how is Individually Identifiable Health Information (IIHI) defined or interpreted?"
As best I can determine, IIHI is information that can actually link a patient to health information, or which can actually identify an individual or provide a reasonable basis for identifying the individual.
So what are the minimum requirements for bloggers to de-identify patient information and remain in compliance with this statute? The long version is here, but I'll give an overview of the criteria that seem to apply to bloggers.
The following information must be removed:
- Names
- All geographic subdivisions smaller than a State including street address, city, county, precinct, zip code, and their equivalent geocodes
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Based on my interpretation of this, I'm not certain that non-anonymous bloggers should present medical cases at all unless the cases are radically altered or very generalized. If it is known that a physician, nurse, or other healthcare worker practices at a certain facility, for example, then the second requirement seems to be violated. Similarly, posts stating that a certain patient event occurred "last night" or "last week" seem to be in violation. I think "recently" would probably seem to be vague enough.
I'm certainly not an attorney and I'm probably misinterpreting the rule, but it seems like something we should discuss.
Labels: HIPAA
posted by scalpel at 1:08 PM
14 Comments:
I agree, in general, with your interpretation.
I ran this past my corporate counsel, and their take was similar. However, there are other issues which are stickier. For one, posting images brings up the question of consent and copyright. Did you ask the patient before taking the picture? Is the consent in writing? Does the consent cover publication? Who owns the image? This is more salient with radiographs, since the hospital is likely to assert that they own the copyright (though this is less of a decided matter).
Also an item of concern from my attorney was that of false or defamatory posts - or comments. His concern was that the blog administrator would generally be considered responsible for comments.
Also, in many cases your employer may have little concern or say regarding extracurricular activities, but medical staff boards have broad latitude in setting standards of professional conduct. If they don't like what you are writing, or if they choose to view your posting as somehow unethical or unprofessional, you as a medical staff member are very much at risk.
As they say, "All politics is local." I took the step of inoculating myself by sending a letter (prescreened by counsel) to my hospital CMO, including links to sample posts. Fortunately his reaction was "I love it! Don't stop!" But I have the luxury of working with a great administrative team, and not every blogger does.
What if I use "last night" to describe something that happened ten days ago, disguising the time of the event as well as other elements (such as changing the patient's age or gender)? Sorry, but in all honesty, reading the specifics is pretty reassuring.
Copyright laws don't seem to have the teeth that HIPAA laws have, so they don't bother me much.
If a patient can't identify themself and nobody else could identify him, then how could a post be specifically defamatory?
My state is an "at will" state, so anybody can be fired at any time with or without cause. One more reason to remain anonymous.
Has anyone in the medical field ever been prosecuted as a HIPAA violator based on a blog post, espcecially a blog post with no patient name or other obviously identifiable info? I think the only way that could be is if you talked about someone famous enough where a generic reader could identify them...like "a singer who used to be black, but now looks white and has been accused of molesting children came into the ER today for a plastic surgery complication..."
It would seem to me that since there are something like 15 or 20 million blogs in the US alone+billions of websites overall and, probably, thousands of things that could qualify as a "medi-blog" or a medical case discussion forum or whatever, that that would be be sufficient shield, as long as you follow the generic hospital/generic nurse/doctor formula.
I'm more worried about a co-worker stumbling on my website, even though I don't blog at work, etc.
Not that I'm aware of. But the first case could be costly. If a medblogger accepts advertisers, for example, or he otherwise gains financially from his blog, then the last provision of the statute could potentially come into play, to the tune of 10 years and $250,000. Ouch.
Just a thought.
Your state privacy laws actually have more teeth than HIPAA.
Let me dig something up for you, and I will post it later.
scalpe. thanks for this. was wondering what was up with the loss of flea and, apparently, gruntdoc. please doc, if you happen by my blog and think that you see something that might run afoul of hippa then let me know. thanks again.
I am very careful about identifiable information and this is why I don't write that much about patients I see. It's hard to change ages, sex, race, chief complaint and the other things I do and still be true to the idea (or the truth) of the article. I wish I could write more about patients but since my blog is sort of reactionary and I am not that anonymous I have to be very careful.
Besides, patients should be anonymous and not have details of their lives broadcast in an identifiable form.
is this just american? how would this apply to someone (but not specifically) like me? quite worrying. i wonder if i need to edit some blogs in my archives
It's just an American thing, bongi.
No need to worry. Keep doing your thing.
Actually, copyright laws have become more draconian than HIPAA laws due to corporate greed - but that is another matter.
There is something known as "safe harbor" when it comes to anything posted in comments. You, as host, are only responsible for removing known violations - at least from the readings of EFF.org. (I'm not a lawyer, but they are.)
Anyone involved in internet communities need to support and follow eff.org to know what their rights and responsibilities are - and to keep the corporate monsters - whether copyright mavens or hospital huns - under control.
Also, lawyers are specialists in much the same way doctors are. Don't go to a dentist if you need your appendix removed - and don't go to an insurance attorney for intellectual property advice.
Pax,
MLO
Another HIPPA question??? If a doctor is an individual health care provider who has been given priviliges to operate through a heath care system and that doctor notices that safety standards are not being complied with and in certain specific instances is resulting in death of patients. The doctor starts complaining to all the appropriate medical boards and ultimately gets fired. If this doctor reveals the names of patients that he feels were subject to sub-standard care to prove that he was fired because he was a whistleblower is that a violation of HIPAA?
I would like to put some points on HIPAA over here.
The privacy and security rules of HIPAA defined the amount of information that can be shared when conducting the business of healthcare. ePHI can be shared for treatment, payment and healthcare operations without patient or health plan member consent (there are additional special provisions that allow PHI sharing but they are strictly defined and include law enforcement, public health, healthcare oversight activities, etc.).
I would like to introduce one website which I recently discovered a very good regulatory compliance website http://www.compliancehome.com which provides all the useful information regarding HIPAA and also provides good information about other regulatory compliance authorities such as SOX, ISO 17799, OSHA, FISMA, etc. Also this website provides a crosswalk between different regulations poster from Symantec which is a very useful tool for complying with these regulations. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada) http://www.compliancehome.com/symantec
Post a Comment
<< Home