I have to disagree with both of you. Although what you say is correct in terms of the language in 164.514(b)(2), HHS gives you and alternative in 164.514(b)(1) where you can develop your own method of de-identifying the data and document by statistical analysis that the method is effective. For example, you could follow the procedure in 164.514(b)(2) except that you add a key field that allows you to index the data against a database of identifying information. That means that 164.514(b)(2) can not be the basis of your information being de-identified. But then you document that access to the database with the linking index to the identifiable information is restricted to only those who were identified in the patient's consent to disclose and that can be considered de-identified since the identifying information is not "reasonably available" as defined in 164.514(b)(1)(i).
-----Original Message----- From: Dennis Melamed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 3:00 PM To: David Blasi; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Obtaining social security numbers Mr. Blasi's point is right on target. If you create another number which identifies a patient, you have not de-identified the data. This activity falls under the omnibus provision (section R) of the safe harbor for de-identified data. Simply substituting another number for the SSN is not enough. Even if you bury the key so no one can convert that number, you have still created an identifiable number and thus do not have de-identified data. That's straight from senior HHS officials. There is no equivocation on this point. The SSN has its own problems above and beyond those mentioned in earlier emails. Also remember that the HIPAA Privacy Rule does not have to be implemented until April 2003. Of course, these people may be referring to some other state or federal law. But I'm not aware of how the federal Privacy Act would affect you. That governs federal agencies and their contractors, not the private sector. Dennis Melamed Editor Health Information Privacy Alert (202) 296-3069 -----Original Message----- From: David Blasi [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 1:41 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Obtaining social security numbers I agree that each plan can make a business decision to move away from the SS#, but I don't see how that helps you avoid any responsibilities under the privacy rule. You are just creating another identifier that could be used to identify an individual and their health information. If you put your proprietary number on the ID card which then gets matched up against clinical information for billing purposes and all subsequent claims information (EOB's), how is that new identification number not PHI? PHI can be many things beyond SS#. It can be a URL, ISP, etc. I'd consult with your counsel to make sure you aren't making an incorrect assumption that you can avoid certain responsibilities just by not using a SS#. >>> "Beth Kranda" <[EMAIL PROTECTED]> 02/05/02 12:40PM >>> While I agree with David that the use of an SSN simplifies COB, I have also taken the position of eliminating the SSN as ID number. In the definition of Payment and in section 164.514 on de-identification, the SSN is referenced as an element that is considered PHI. Some have interpreted this to mean it is then protected, and taken that further to imply that, if the ID card has the SSN on it, it is then considered PHI and subject to the same type of protection requirements as the clinical record. Not sure if this is true, but certainly, reporting is easier if you have a unique identifier that is not the SSN with which to tie de-identified information back to a member. As for the HEDIS problem, this simply means your company needs a "person ID" to tie a person's health history together across systems and across enrollment records. While convenient, it is not necessary to use the SSN to accomplish this. This is one of those decisions that needs to be driven by the legal and business issues. My guess is that the "Privacy Act" this patient cited is state based or some other provacy legislation, not HIPAA. Most of the general public is still not aware of HIPAA's rules. All of the Health Plans I have talked to in Indiana are moving away from the SSN. -- M. Beth Kranda Sr. Project Consultant and Privacy Director OASYS t- (317) 614-2139 f- (317) 614-2001 e- [EMAIL PROTECTED] info- www.oasys.com David Blasi wrote: > Don't see this as a HIPAA Privacy Rule requirement. In fact, until > there is an alternative individual identifier, each plan or provider > assigning a proprietary number to identify an individual creates even > more confusion than we currently have. Especially in COB situations. > But, are you in California? California recently passed SB 168 regarding > the use of SS#'s. However, the law does allow use of SS# for "internal > verification or administrative purposes." This is what most plans or > providers use the SS# for anyway. What it will require is for a plan or > provider to take a look at notifications sent or ID cards used. Have > your counsel take a look at this bill or similar bills proposed in other > states. Essentially, you can prepare a response that states you are > permitted to use SS# in certain limited situations, such as eligibility > and claims payment. > > >>> "Waterhouse, Melissa" <[EMAIL PROTECTED]> 02/05/02 09:33AM > >>> > Recently, we have been experiencing resistance from members when we > request > their social security number and the numbers of their dependents. > Several > letters from employees quote The Privacy Act. We are considering not > requiring dependents socials but this could negatively impact HEDIS > numbers > since SSN's are the only way to track continuous enrollment. > > I am wondering if other health plans are also experiencing this and if > they > decided to not require social security numbers or have moved to using > another identifier. > > Thank you, > Melissa Waterhouse > SummaCare Health Plan > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
