Saturday, July 2, 2011

Re-identification and Patient Consent

I am working with a customer that is a state-wide Health Information Exchange (HIE) to extract data from the state's clinical data repository (CDR) and send it off to a Business Intelligence (BI) system that will be used to conduct population based research into clinical outcomes.

This type of research has been difficult to perform today because most of the data is on paper charts and information has to be re-keyed into the BI system. We will be able to extract data from the state's CDR, normalize it and then create research "data marts" that can be further manipulated. This will give us actual data that can be used to determine what treatments work and what treatments are a waste of time and money.

The state has an "opt out" privacy policy, which means that patient's data will be shared unless they explicitly choose to "opt out" of data sharing. Other states that have adopted this type of consent policy have reported that only two to three (2-3) percent of patients choose to "opt out" of data sharing. These states also report that of those patients that have chosen to "opt out" of data sharing, seven percent of those choose to change their status to "opt in" each year.

Here is the tie in.

The state wants to send *all* patient data, after it has been de-identified to the researchers. I have cautioned them that we must exclude the data on patients that have "opted out" from the feed to the researchers.

The state responded, "well, the data is de-identified, so we haven't really shared the patient's data."

1. Some data cannot be de-identified enough to actually mask the patient's identity. There may only be one patient in a city or zip code with a rare disease. No amount of de-identification would truly hide that patient's identity.

2. Researchers have the ability to "re-identify" the data and find out who the patient is if they discover something unusual and decide that they would like to contact the patient to ask further questions.

Both of these cases mean that we would be sharing identified data about the patient against the patient's explicit wishes. Imagine if you will that you have chosen to opt out of sharing data and then recieve a phone call from a researcher asking to talk to you about the effectiveness of your herpes treatments?

I am advising the state to remove data from patients that have "opted out" of data sharing from the research project. If necessary, I will involve our lawyers. I don't know what the penalty is for disclosing a patient's data against their wishes is in this state, but I hope not to find out.

No comments:

Post a Comment