Scott, I would disagree. The spirit of the regulation is reasonableness. As long as the information is truly de-identified according to the 18 items in the regs and you can keep your key on the identifying link piece secure, you should be set. De-identified info is not covered by HIPAA, and the requirement on the keyed link is that there are high assurances of its security. Like everything else in the regs. The issue will be documenting the risk/cost process and the rationale that supports the assessed risk.
a. Albert Oriol, CHE, CISSP Privacy & Data Security Officer The Children's Hospital [EMAIL PROTECTED] (303) 861 6094 "All things should be as simple as possible, but no simpler" -- Albert Einstein -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 14, 2002 8:05 AM To: [EMAIL PROTECTED] Subject: Re: De-identified PHI That's a loaded question. I would still say "No" they should still be treated the same. Somehow, you (within your purview) would want (nee, have to have) some kind of "identifier" to be able to link back to the patient, on your end. Suppose you send out aggregate data to a benchmarking entity, and benchmark results are then made available to you which might necessitate you getting back to the individual patient record...for conformance purposes. How would you ever do that, without having created some other identifier for your own use, in both Bit Buckets A & B? And, it's my understanding that even that list of identifiers, must be kept confidential as well. I'm not really answering the question am I? I'm just saying, it doesn't seem like there would ever be a "truly de-identified" PHI ... so your Bit Buckets should be treated the same. Thanks, Scott Supman Information Security Director OhioHealth ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. CONFIDENTIALITY NOTICE: The information contained in this message is legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
