Using EHR data for the public-health good

The emerging national health IT policy coming out of the Office of the National Coordinator (ONC) for health IT envisions 5 Policy Priorities. One of these priorities is Improving Population and Public Health, and Reduce Disparities. This is the kind of thing really only achievable at a macro level, beyond the scope of an individual medical practice.

For medical practices that are contemplating installing an Electronic Health Record (EHR) system, legacy systems that simply replicate an individual paper chart rack, and create a local and separate data store, are challenged by this policy priority. The only place where broader collections of patient data can be aggregated and analyzed would be either a large group practice or Independent Practice Association (IPA), or a Health Information Exchange (HIE). Small wonder that interconnectivity and establishment of the State Information Exchange program are a priority for the ONC, as noted in their recent blog.

Independently of what is happening within traditional health IT circles, other technology vendors are aggregating and reporting population-based health data. Google Flu Trends tracks search activity for flu, which (although it reflects simple consumer interest in, or fear about, the topic) matches CDC reporting of influenza incidence fairly accurately. No HIPAA-protected Protected Health Information (PHI) is utilized here.

One of the most important barriers to getting population-health data is the concern that PHI privacy could be violated. After all, health information is very personal and sensitive (perhaps, one could argue, even more than personal banking information), and HIPAA Privacy Laws govern the protection, privacy and security of such information.

In order that data extracted from EHRs can be used for such public health purposes, it would need to be de-identified. But is true de-identification possible? This has been the subject of numerous blog articles, and it has been argued that with just a few pieces of data, re-identification can be achieved.

From the standpoint of HIPAA, there is a “safe harbor” if all 18 identifiers enumerated in section 164.514(b)(2) are removed from an individual patient data point. These identifiers are (1) names, (2) geographic subdivision smaller than a state, (3) all elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death), (4) phone numbers, (5) fax numbers, (6) email address, (7) social security numbers, (8) medical record numbers, (9) health plan beneficiary numbers, (10) account numbers, (11) certificate/license numbers, (12) vehicle VIN and license plate numbers, (13) device identifiers and serial numbers, (14) web URL’s, (15) internet IP addresses, (16) biometric identifiers (including finger and voice prints), (17) full face photos and comparable images, and (18) any unique identifying number.

As noted in legal reviews, the HIPAA Privacy Rule permits covered entities to release data that has been de-identified without obtaining an authorization and without further restrictions upon use or disclosure, because de-identified data is not PHI, and therefore not subject to the Privacy Rule.

Data that is used for public health purposes may need to contain some of the elements detailed above – for example, studying the outbreak of flu, or of drug-resistant tuberculosis, or the prevalence of obesity or diabetes as a function of geography or other census characteristics such as socio-economic status – may need to include geographic identifiers down to the zip-code level. What is the best way to proceed?

Organizations that act as custodians of records for HIPAA covered entities (CE’s), such as an HIE, or a web-hosed EHR like Practice Fusion, need to be careful about use of data. When individual data points are used, limited down-stream use of that data needs to be enforced. The best approach is to use aggregate data, so that no specific-patient data points are released – for example, the percentage of patients with the diagnosis of diabetes in a given zip code (to be correlated with census characteristics indicating socio-economic status) would not involve any PHI, when used in aggregate.

Using EHR data for the public-health good is an important promise, which can be achieved with widespread EHR adoption. One of the Meaningful Use criteria domains addresses this need. Further, web-based EHRs like Practice Fusion are able to aggregate data from multiple practices and geographies, and (when carefully “double-scrubbed” of any personal identifiers), offers an exciting platform for improvement in the nation’s health. Balancing the very-real privacy concerns of patients and clinicians around PHI with the public-health need for real-time de-identified clinical data is challenging. But, with careful attention, such a balance is quite achievable.


Robert Rowley, MD – Chief Medical Officer, Practice Fusion, Inc.