As a former auditor, I usually hold my own against the information security/compliance folks. While controls are good and necessary, to a large extent they can just be smoke and mirrors. It often gives the illusion of security and helps to give a reasonable legal defense if a breach occurs. You can't prevent or detect everything. In my experience, if someone competent wants to do something illegal, they will most likely get away with it, even in very controlled environments. For example, are you going to ban smart phones because someone might take a picture of a patient chart? I audited a company for years and never detected a lady who was advancing money to herself. They had all the right controls in place. But no one thought to ban whiteout and copy machines to prevent her from whiting out her transactions and making a copy.
HIPPA and HITEC don't prevent people with a business need from accessing patient data. So if you have a business need to access the data, then we grant you access. We have policies and compliance trainings that instruct people on the laws for protecting data that they have access to and the consequences for being careless.
Finally, the legal department doesn't run your business. They are advisors. You have to determine what is a reasonably acceptable amount of risk and control so that you don't negatively affect your ability to operate your business.
“HIPPA and HITEC don't prevent people with a business need from accessing patient data. So if you have a business need to access the data, then we grant you access. We have policies and compliance trainings that instruct people on the laws for protecting data that they have access to and the consequences for being careless.”
Totally agree with Mark. They key is getting help from your Compliance people about navigating away from PHI (Personal Health Information) data and making best use of the rest. Unless you are in a role requiring access to PHI details for clinical or billing purposes, you are forbidden access under HIPPA regulations anyway. Our institution rigorously trains and communicates these restrictions, as I suspect does Mark's and others.
Once you have segregated the PHI versus usable data issues, the next level as Tim describes is managing access within the organization. I think the larger concern is controlling data exiting the organization. My market research role is, in a sense, "covert ops" we don't share with the outside public. Much of that involves proprietary information or subscription content we are restricted from sharing due to licensing agreements. However, I think a good public application is to market your clinical performance data to counter misperceptions by outside rating organizations. These outside services are still very much in the wild west phase of development.
A quick Google search pulls up this page from the Department of Health and Human Services...
This text comes from that page:
The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to the following:
- Disclosures to or requests by a health care provider for treatment purposes.
- Disclosures to the individual who is the subject of the information.
- Uses or disclosures made pursuant to an individual’s authorization.
- Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
- Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
- Uses or disclosures that are required by other law.
My sense is that this provision doesn't really allow for open grazing on data, data must come to idividuals through "requests." Of course it is a complicated and often political question but this is the spot we get hung up most often.
From the same source (emphasis added):
The implementation specifications for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity’s business practices and workforce.
...Case-by-case review of each use is not required..
...Individual review of each disclosure or request is not required...
From http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html: (Alternate link with similar info. :Uses and Disclosures for Treatment, Payment, and Health Care Operations)
A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.
Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
Fantastic, thank you Mark. I agree with you and your interpretation but part of my role is to educate those who do not agree that this is standard industry practice. These laws are so ambiguous and downright contradictory that it's possible to support just about any argument one would like to make. Something more concrete, like legal opinion, case law, or documentation of industry norms would go a long way toward making this question a slam dunk. Spotlighting this question and then taking it off the table at a national level would open a lot of doors for Tableau in more conservative organizations.
1 of 1 people found this helpful
I've been loving this conversation, thanks for engaging!
My organization (a quality management department in a small health system) is grappling with this issue as a lot of my work has been organizing data that was either never in electronic form or never available in an accessible form. A starting point for us in quality that most everything we do has a level of protection because of what we do and the requirements for documenting access are lower, as Mark noted. Also, since we work with things like patient complaints about staff members and Ongoing Professional Practice Evaluation (OPPE) where provider-level aggregations are used, we have to think about how provider-level data is shared.
From working with our risk manager and security and privacy officer, we've come up with the following strategy:
We went back and forth about where to put the patient name & date of birth in this structure, and decided to put it in the pool of data available to all quality staff a) because they already have access in our EMRs, b) we have a dual-identification policy that is needed to compare records and when directly conferring with patients, and c) it makes life easier for quality staff.
In terms of how this influences our use of Tableau, the Tableau Desktop users get to see everything they have access to, when we publish dashboards we set the permissions to the right level. Since Tableau Desktop and Server both log every query, if we ever had to we could see what someone did and what data they pulled from the system.
Just thought I'd chime in here and say this thread is fantastic and has been leveraged a lot throughout the years. Deeply appreciate the perspectives you guys bring to the table regarding Tableau HIPAA and additional forms of Healthcare data privacy protection compliance.
Dustin is two years behind on reading his backlog of forum posts. =)
I'm glad Dustin is behind ... otherwise I might have missed this!
Great stuff, even for us in Canada since HIPAA content is often copied and pasted into our policies.
Mark's original link (http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html) doesn't seem to work any more, but this one seems to have similar content (Uses and Disclosures for Treatment, Payment, and Health Care Operations).
Hahaha, I couldn't keep up with you guys if I tried.
Jason - thanks for the heads up on Mark's link. I added it as an alternate resource in his comment.
I just noticed that Mark's original link has a ":" at the end causing it to break. Once you remove that and find the subheading of "General Principle for Uses and Disclosures" (6th sub-section) you will find Mark's original quote.
I’m a little concerned now that I know Dustin can edit my posts. (Siri, remind me never to make Dustin mad to send Dustin chocolates).
**Notice: The comment has been edited by your friendly and all powerful Tableau Forum Admin. Have a pleasant and compliant day.
Bianca Abate had posted a question about a specific scenario, when I went to respond the content had been deleted. Bianca, you should be getting a ping with this response.
I'm afraid you didn't get an answer because there are a) too many unknowns and b) we are (most likely) not privacy officers, so we're hesitant to answer without specifics. For example, you mentioned that the quality team has metrics and you want to share data with care providers. The fundamental question that I have here is are the metrics pre-aggregated, if aggregated are they aggregated at a sufficient level that they are effectively de-identified? If the answers are both yes then there's no PHI there and you'd be all set. If the first answer is No and the 2nd answer is Yes, then it depends on when the aggregation is done, what kind of blinding has been done on the data, and what permissions you've set up in Tableau.
Another factor here about HIPAA compliance is that though Tableau does maintain a whole set of logging about users and access, it's not all available in one place *and* my experience is that different people have different interpretations of the regulations. So what might pass muster for one privacy officer in one organization wouldn't necessarily work in another.
Thank you for the great answer!