Data Privacy

How are State Health Data organizations protecting the data they share with third party organizations like Insurance companies, medical research organizations, etc. This data cannot be encrypted as it would make it useless for data mining and/or research analysis. How is HIPAA complaince followed when this data is shared?

luvai:

How are State Health Data organizations protecting the data they share with third party organizations like Insurance companies, medical research organizations, etc. This data cannot be encrypted as it would make it useless for data mining and/or research analysis. How is HIPAA complaince followed when this data is shared?

In our Department, data is "de-identified" by removing all personally identifying information from datasets that will be used in research.  That is, name, SSN and other unique identifiers are removed, and even date of birth is replaced with year of birth.  Zip codes, when included, are just the first 3 numbers.  Etc etc etc.  A secondary unique key is included to link patient data, treatments, and so on.  And finally, the research proposal is vetted through an IRB committee and assurances obtained for how the data will be stored, and then source data destroyed after processing.  And finally, we sometimes run the queries and aggregate the data ourselves for research requests, if the demand on our resources isn't too much.

 NAHDO has done an extensive review of state data release practices and policies.  Most states used a multi-layered approach to the release of public use files:

1.  Changing or deidentifying the data:  suppression, aggregation, and restricting or denying the release of confidential/sensitive data elements.

2.  Regulatory and management controls:  Data Use Agreement/request form, penalties for non-compliance.

3.  Limiting access through data products: web query systems (permitting anonymous queries for aggregate statistics without accessing the detailed data; public use files which are de-identified; research files with more sensitive data usually for bona fide research purposes and requiring IRB approval; and custom data releases---where the agency works with the user to release just the data fields that can be justified for the purpose---making tradeoffs between the potential universe of data elements (e.g. dates of discharge without zip or other patient variables, but not all).

Does any state compensate non-state government members of its data oversight committee? If yes, what is the compensation?