10

Imagine you are designing a system that's comprised of overdue worklists for doctors (e.g., Doctor X you have 3 overdue studies to look at). In the notification, you identify the studies they have to review by their accession number / CPT code / date of service, so that the doctor can see what studies they are missing (in case they disagree that they have three overdue studies).

Could that accession number / service / date of service be included in an email that may be sent or forwarded to a non-hospital system?

On the one hand, knowledge of the accession number+service+date, does not let you identify any patient (so I would say no) or the results of the study without additional information.

On the other hand, each accession number is tied to only one individual, so it is the type of PHI that is typically removed when anonymizing data for say research purposes.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161

2 Answers2

4

I've answered this myself months after asking here based on HIPAA law (see page 66 - section 164.514).

To summarize: accession numbers (a unique identifying number) should be removed when de-identifying clinical data before being used for research purposes. However, using accession numbers (without connecting to detailed patient data) for routine business purposes (in say generating doctor's overdue worklist) over unencrypted emails is probably fine, but the law is murky enough that you may want to avoid doing anyway.

An accession number on its own is a meaningless 6-10 digit number tied to each service done at some specific hospital. Without having access to that hospital's specific database that ties accession numbers to a specific service done on a specific patient, you cannot identify a patient. You can easily argue in this sort of scenario, an accession # is not PHI and HIPAA specifically has an exception for experts determining that the risk that this number could be used to identify someone is negligible (as in this case).

However, if you are de-identifying clinical data (say an actual MRI scan or the detailed test outcome), it would be prudent to remove all accession numbers. This prevents someone from using the normal database system to see who is tied to an accession number, and then using the poorly de-identified data to get detailed records they couldn't otherwise get.

jimmont
  • 105
  • 4
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
1

It would not qualify for the safe harbor provision for deidentified data under HIPAA.

Matt
  • 189
  • 4
  • Thanks, but is that the relevant provision? I understand if I'm deidentifying clinical data (e.g., images from an MRI; or a clinical report) that I would have to strip that accession number (as someone could later look up the accession number and then tie the data to a patient). But in this case of an accession number on its own not attached to clinical data seems like its not covered by rules of deidentifying data. (But then again I'm not really sure which is why I am asking). – dr jimbob Feb 21 '12 at 03:29
  • Unless you remove all of the 18 types of data specified by HIPAA in order to meet the criteria for deidentified data, the wise thing to do is to regard the data as being PHI. Personally, I wouldn't risk doing what you are proposing. –  Feb 22 '12 at 06:44