Campaign: Developers and HIPAA

When is PHI de-identified?

We have developed a platform to facilitate the scheduling of transport/rides for patients to provider appointments. The process works as follows. The provider logs into a secure site, to schedule a ride to an appointment for a patient. The platform, at the appropriate time, sends formation to a rider service provider (someone such as Lyft, Uber, etc..) to schedule the transport. The information provide the transport company includes, time the transport is required, the geographic coordinate of the pickup location, a first name, and a masked phone number (the actual phone of the patient is not provided, rather a masked phone number, that expires after the ride is provided, to be able to contact the patient if required) and the drop off location.

 

 

 

The issue we are trying to address is the following: Are we passing PHI on to the transport company?

 

 

 

OCR is not clear on the topic. From their guidance “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule “ November 26, 2012

 

The most relevant issue seems to come down to, Section 1.1 from the above

 

 

 

“The relationship with health information is fundamental. Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI. For instance, if such information was reported as part of a publicly accessible data source, such as a phone book, then this information would not be PHI because it is not related to heath data (see above). If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.”

 

 

 

Is providing a drop off location an indication of treatment “at a certain clinic”? We would argue that people could going to an address for a variety of reasons, to be with a patient. And, is a pickup location and first name, sufficient identifiers to trigger the passing of PHI.

 

 

 

Best

Submitted by

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Developer of Mhealth apps (not mobile medical apps), For profit, Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes
Question No. 64