I concur. If you don't protect either bucket, it is reasonable to assume I can get hold of both buckets. I suspect I could guess how to associate entries from one bucket to entries in the other (sequential? alphabetic?) Any attempt to obscure the relationship between the two buckets amounts to a form of encryption. As soon as I break the method, I have ALL your PHI.
Bobby Miller
Information Assurance Consultant
DynCorp Systems and Solutions
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 10:05 AM
To: [EMAIL PROTECTED]
Subject: Re: De-identified PHI
That's a loaded question. I would still say "No" they should still be
treated the same. Somehow, you (within your purview) would want (nee, have
to have) some kind of "identifier" to be able to link back to the patient,
on your end. Suppose you send out aggregate data to a benchmarking entity,
and benchmark results are then made available to you which might
necessitate you getting back to the individual patient record...for
conformance purposes. How would you ever do that, without having created
some other identifier for your own use, in both Bit Buckets A & B? And,
it's my understanding that even that list of identifiers, must be kept
confidential as well.
I'm not really answering the question am I? I'm just saying, it doesn't
seem like there would ever be a "truly de-identified" PHI ... so your Bit
Buckets should be treated the same.
Thanks,
Scott Supman
Information Security Director
OhioHealth
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
