Request a Quote

PHI protection strategies in need of updates

August 21, 2014

Female Receptionist

There are many regulations and much published guidance regarding patient health information privacy in medical research, but that does not guarantee that best practices are always followed when it comes to complying with provisions of HIPAA and the Common Rule. In fact, the U.S. Department of Health and Human Services explained that certain de-identification strategies may leave human biospecimens subject to re-identification by demonstrating an example where this could be done by cross-referencing vote registration records and using this data to help re-identify patients.

Indeed, an article written by Mark Rothstein, founding director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, and published in the American Journal of Bioethics, explained that PHI protection techniques that offer even more security than the current standard are needed to solve this problem.

How safe is de-identification?
In his review of current PHI protection strategies implemented by U.S. biorepositories, Rothstein identified several potentially insufficient methods that biobanks and technicians within hospital systems use today to comply with HIPAA and Institutional Review Board regulations regarding sample de-identification.

For example, Rothstein explained how technicians often use white out to obfuscate patient PHI from samples that were originally documented on paper. However, when these specimens are shipped to research locations, physical traces of identifiable information are transferred with them, potentially allowing for easy re-identification. Furthermore, there is no regulation regarding who performs these PHI removal operations and technicians with no prior medical experience could be in charge of de-identification of sensitive PHI.

Also, Rothstein outlined the complexity involved in de-identifying samples with information stored in electronic health record (EHR) systems. EHR profiles are, by definition, linked to patients' identities, and the process of scrubbing identifiers from EHR files varies based on the software being used. Combined with a lack of one-click de-identification functionalities, EHR systems are not naturally conducive to hiding patients' identities.

Going beyond manual de-identification
Rothstein concluded his article with a call for more stringent and reliable de-identification processes to protect inadvertent or negligent PHI breaches. Fortunately, forward-thinking companies like iSpecimen already employ technology-based de-identification solutions to fully protect patient PHI and ensure that it never leaves the healthcare system either in physical form (such as on a specimen label) or in any electronic form. Furthermore, the company regularly hires third parties to conduct audits to ensure that patient privacy is continually protected. 

Additionally, for healthcare partners that want a higher level of security, iSpecimen's technology can go beyond de-identification and completely break the links between specimens and the patients from whom they came for true specimen anonymization. This ensures that no one, including the healthcare system itself, can ever re-identify specimens that have been delivered to research programs.