Case Reports and HIPAA Rules
Imagine this scenario:You are a medical blogger (doctor, nurse, student) and just saw a very interesting patient. You would like to describe the patient as a clinical case on your blog, in order to share it with other health care professionals (some non-medical readers may visit your blog as well).
Question:
Is this case report allowed under HIPAA regulations?
Answer:
Yes, if you observe certain rules.
Case Reports and HIPAA
Physicians must assure that the case report does not contain any of the 18 health information identifiers noted in the HIPAA regulations, unless authorization from the individual (s) has been obtained. The authorization is not required if neither of the 18 identifiers below are used in the case report.
List of 18 Identifiers:
1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
References:
The Human Research Protection Program - UCSF.edu.
HIPAA Resources - The Privacy Rule - NIH.gov.
Single Case Report Policy - Johns Hopkins Medicine.
Medical Case Report Policy - Louisville.edu.
The Purpose of this Blog - Dr.Charles.blogspot.
Image source: morguefile.com.
Related:
Twitter, HIPAA, Privacy and Freedom of Speech. Phil Baumann, 07/2008.
Privacy of Individually Identifiable Health Information. Code of Federal Regulations.
Updated: 06/02/2009
Labels: Blogging
posted by Ves Dimov, M.D. at 5:03 PM | LINK
5 Comments:
thanks! always good to review!
Sorry, but I had to laugh when I found that Dr. Charles, the medblogger who used to so judiciously add disclaimers to all of his entries, left a comment here. ;)
I see a lot of things that could be classified as a cross between case reports and first person types of blogging. I have to admit feeling some degree of discomfort with some of them, due to the detail presented.
One thing that helps is when stories are not so contemporaneous, that they are events that have happened several months ago rather than just today, or just this week.
I think you have to anticipate that one way or another patients will learn about your blogging and perhaps begin to check to see what you are writing about.
For our Cases in the News Blog:
www.SimulConsult.com/cases/ we got one additional piece of advice from beta testers - replacing names with initials even though the names appear in the original articles to which we link.
If one needs to have a deep understanding of HIPAA and more information on HIPAA training and also HIPAA template suite along with enterprise contingency plan template suite which any organization, small or big, can use to meet their compliance requirements of Sarbanes Oxley (SOX), FISMA, ISO 17799 or any other regulation/standards requiring business impact analysis, risk assessment, disaster recovery planning (DRP), business continuity plan (BCP) and Testing & Revision of Plan, they can discover it at training-hipaa.net website by following the links given below
HIPAA Privacy and Security Certification Training
http://www.training-hipaa.net/certification_training/com_privacy_security.htm
Enterprise Contingency Plan Template Suite
http://www.training-hipaa.net/template_suite/enterprise_contingency_plan_template_suite.htm
Post a Comment
<< Home