Maintaining Privacy and Security in Healthcare Research Utilizing ICD-10 and Common Meaningful Use Data Set

Maintaining Privacy and Security in Healthcare Research Utilizing ICD-10 and Common Meaningful Use Data SetHIM 6509 Medical Vocabularies and Classification Systems Instructor: Tina Reynoso

1

Group 4 participants

Babatunde Fakiyesi, Christina McCarthy, Erica Wilson, Kim Shelton, Derinda Werden

Thesis:This research will examine the effectiveness of the use of ICD-10 and the Common Meaningful Use data set for research purposes without compromising protected health information as stipulated under the Health Insurance Portability and Accountability Act (HIPAA) guidelines.

3

IntroductionAdvances in health information technology ushered in growth and difficulties.

Healthcare facilities find it difficult to reap rewards of the data without violating the Hippocratic oaths patient privacy statement.

Findings from a recent survey show 75% of patients are concerned about health Web sites sharing information without their permission (Raman, 2007).

The advances made in health information technology and the impact of information systems on healthcare delivery in the 21st Century has ushered in gains as well as pains. With the collection of patient data on the rise, which is facilitated by IT, it has become very difficult for healthcare organizations to find a balance between reaping the rewards of these clinically rich data without violating one of the cornerstones of Hippocratess oath- patient privacy. A recent survey in the United States suggests that 75% of patients are concerned about health Web sites sharing information without their permission (Raman, 2007). This can be attributed to the fact that medical data disclosure is the second highest reported breach (Hasan & Yurcik, 2006).

4

Some uses of health information data in research study causes of diseases and better improve the healthcare system.Per HIPAA, Health Information Portability and Accountability Act, requires de-identification of health information for all data used in research.The Department of Health and Human Services issued guidance on de-identifying protected health information by utilizing two methods Safe Harbor rule, and Expert Determination (Roop, 2015).According to the Privacy Rule, eighteen specific identifiers must be removed to be considered de-identified data. There are two methods for de-identifying data a statistical verification method and / or removing the eighteen identifiers outlined by the Privacy Rule (U.S. Department of Health and Human Resources, 2007).

In the quest to further study the cause of diseases, and to better improve the healthcare system, there has been an increase in gathering, analysis, and sharing of patient information. These data are being utilized in everything from scientific research and improving clinical outcomes to decisions on which pricing and utilization rates are determined. As personal health information is digitized, transmitted and mined for effective care provision, new forms of threats to patients privacy are becoming evident. In view of these emerging threats and the overarching goal of providing cost effective healthcare services to all citizens, several important federal regulations have been enacted including the Privacy and Security Rules under HIPAA (1996) and State Alliance for eHealth (2007). Thus, Health and Human Services (HHS) issued guidance on how to effectively de-identify protected health information (PHI). There are two accepted methods through which PHI can be de-identified in accordance with HIPAA privacy rule: expert determination and safe harbor. Safe Harbor relies on the removal of specific patient identifiers while the Expert Determination Method requires knowledge and experience with generally accepted statistical and scientific principles and methods to render information not individually identifiable (Roop, 2015).

5

Use of ICD-10 applies to all covered entities, and was required to be implemented on October 1, 2015. Without implementation, all processes will be adversely affected, such as reimbursement, clinical outcomes, and research.

Clear and accurate reporting of diagnosis codes (ICD-10-CM) provides valuable information about patient care for use in research.

Code analysis is an essential component of research in which there is no direct access to patient medical records (Bowman, 2008).

Greater detailed coding offers more opportunity to find previously hidden relationship circumstances for research (Bowman, 2008).

Clear and accurate reporting of diagnosis codes provides valuable information about patient care. International Classification of Diseases (ICD) codes are integral to claims reimbursement, external reporting requirements, quality-of-care measures, resource use monitoring, and clinical and epidemiologic research. The robustness of ICD-10 means that it has a more detailed information gathering capability compared to its predecessor. As such, it portends more security and privacy risk if the information infrastructure of a healthcare system using ICD-10 is breached. The expanded specificity provides more detailed information that promises to assist various healthcare stakeholders in establishing appropriate reimbursement, monitoring health care use, evaluating health care delivery, and improving patient outcomes as well as in conducting research.The use of ICD-10 applies to all covered entities, which consist of health plans, healthcare clearinghouses, and healthcare providers, who transmit electronic health information in connection with the Health Insurance Portability and Accountability Act (HIPAA). The federal fiscal year for implementation is set for October 2015 for compliance date of ICD-10. The failure to successfully implement ICD-10 could create backlogs in billing and coding processes, also causes the cash flow delays, increase claims and/or denials. Some benefits of implementing a Modern Classification Systems are:Improved ability to measure healthcare services.Enhanced ability to conduct public health surveillance.Improved ability to measure healthcare services.Increased ability to distinguish advances in medicine and medical technology.The American Recovery and Reinvestment Act (ARRA), provides funding for hospitals that adopt the new coding classifications and are considered meaningful users of the electronic health record (EHR). Accurate clinical coding relies on having complete and available health record documentation. The development of electronic health records is an added benefit that supports ICD-10 assignment and also helps to improve the quality of the care by providing better and more readily available patient health information (AHA, 2009).ICD-10-CM provides better, more accurate detail, and the fact that the clearer logic of the codes that may lead to fewer coding errors in the long term cannot help but improve research. Code analysis is an essential component of research in which there is no direct access to patient medical records (Bowman, 2008). It is anticipated that ICD-10-CM will open new opportunities in injury research and trauma services. It will provide much-needed improvements to accurately classifying the nature of injuries and correlating them with cause, treatment, and outcome (Bowman, 2008).

6

Common Meaningful Use Data Set is what is required to prove that providers are using the EHR effectively. The Meaningful Use Stage 2, published and maintained by CMS, and defined by the Office of the National Coordinator, defines the Common MU data set as containing 16 pieces of data. This same data contains elements that are collected by research institutions (Tandon, S. & Adhi, S., 2014). Increased granularity and standardization of data ensures that quality data is being utilized in research and clinical trials

Common meaningful use data is a data set standard created for the requirements of meaningful use (MU). MU Stage 2 states that EHR technology must generate a clinical patient summary following each visit and that summary must be generated using the Common MU data set (CMS, 2014). The Office of the National Coordinator has defined the Common MU data set as containing the following sixteen pieces of data: patient name, sex, date of birth, race, ethnicity, preferred language, care team members, medications, medication allergies, care plan, problems, laboratory tests, laboratory values or results, procedures, smoking status, and vital signs (Tandon, S. & Adhi, S., 2014). This data set contains elements of information that is collected by research institutions. The issue at hand for research institutions is that the patient health information must be de-identified as required by the Privacy Rule, unless the patient gives written authorization (National Institute of Health, 2007). Two important pieces of data from the Common MU data set that must be de-identified include patient name and date of birth (National Institute of Health, 2007). De-identified patient information still offers research entities vast amounts of usable information, which can still be used to conduct many research activities in an effective and efficient way.

7

De-identified data has been very valuable to supporting public health and quality improvement research. Research using de-identified data has discovered previously unknown adverse drug effects associated with diabetes, the economic impact of poorly controlled asthma, and identified individuals at risk of morbidity effects (Laffel, 2010).

Research is the very essence of quality healthcare as it allows healthcare to continually evolve, improve patient outcomes, patient safety, and increase the overall quality of healthcare delivery. Within research, ICD-10 provides the specificity and granularity required for more effective analysis of healthcare data. Standardized data sets, such as the Common Meaningful Use data set, allow data that has been mined to be comparable and useful across multiple groups. Increased granularity and standardization of data ensures that quality data is being utilized in research and clinical trials (Fridsma, 2013). The positive impact of quality data in research will be far reaching. However, research must meet the regulations for patient privacy and security. One method to ensure that the research is meeting HIPAA requirements is through the use of de-identified data. According to the Privacy Rule, eighteen specific identifiers must be removed to be considered de-identified data. There are two methods that covered entities may use to de-identify patient data for research and other data needs, a statistical verification method and/or removing the eighteen identifiers outlined by the HIPAA privacy rule (U.S. Department of Health and Human Resources, 2007). The eighteen identifiers that must be removed from the data for it to be considered de-identified include, but are not limited to, the following:NamesTelephone numbersSocial Security numbersAll dates (except year) that are relevant to the patientEmail addressesLicense numbersMedical record numbersAccount numbersAny other unique identifier, characteristic, code, unless otherwise permitted by the Privacy Rule (HHS, 2007). De-identified data is very valuable in supporting public health and quality improvement research. Research using de-identified data has discovered previously unknown adverse drug affects associated with diabetes, the economic impact of poorly controlled asthma, and identified individuals at risk of morbidity effects (Laffel, 2010). De-identified data, combined with the granularity of ICD-10 and the standardized Common Meaningful Use data set, will increase the quality of medical research. In turn, quality research will foster effective, innovative, and efficient healthcare.

8

Conclusion

Healthcare research based on actual patient health information is vital to the continued improvement of patient care, treatment plans and quality of care.

Healthcare research based on actual patient health information is vital to the continued improvement of patient care, treatment plans and quality of care. Research can be performed without violating HIPAA regulations. By following the Privacy Rule de-identification requirements and removing identifiable patient data that is collected in regards to the Common Meaningful Use data set, researchers are left with valuable patient data including detailed ICD-10 data.

9

ReferencesBowman, S. (2008). Why ICD-10 is worth the trouble. Journal of AHIMA, 79, 3, 24-29.Laffel, G. (2010). Using de-identified data to improve healthcare: What, how and why?Retrieved from http://www.practicefusion/com/blog/using-de-identified-patient-data-to/Raman, A. (2007) Enforcing Privacy through Security in Remote Patient Monitoring Ecosystems, 6th International Special Topic Conference on Information Technology Applications in Biomedicine Roop, E. (2015, May 1). The De-identification Dilemma. For The Record, 16-16.Tandon, S. and Adhi, S. (2014, April 1). Summary of public health objectives in stage 2 meaningful use ONC and CMS final rule version 1.1. Retrieved December 14, 2015, from http://www.cdc.gov/ehrmeaningfuluse/docs/summary-of-ph- objectives-in-stage-2-muonc-cms-final-rules_04_01_2014.pdf.U.S Department of Health and Human Services. (2007). How covered entities use and disclose protected health information for research and comply with the privacy rule. Retrieved from https://privacyruleandresearch.nih.gov/pr_08.asp