Saturday, November 19, 2011

HIPAA, Case Reports, and the "Small Cell" Problem

It was an interesting tweet that referenced a soon-to-be-published case report from the Annals of Emergency Medicine (via @EmergencyDocs) that piqued my interest:
Thrilling case study: emergency doc cracked chest to save 42 y/o woman in cardiac tamponade after ablation therapy. http://bit.ly/umnydc
Details about the case are quite specific and the case reports heralds from a town in Minnesota. It describes, in very specific detail, the management of a patient who presented to the emergency room in shock from cardiac tamponade after a catheter ablation procedure for right ventricular outflow tract tachycardia.

Is this unique case report HIPAA compliant?

I would say, according to our current definition of HIPAA's "personal health information," such a case report is not HIPAA compliant. Nor could such a case be mentioned on a blog, for that matter, even though it presents important information for people dealing with these patients.

There is an important quality-of-care role in telling these clinical stories. In fact, HIPAA states there are just "18 little rules" that doctors are supposed to follow when they report important clinical cases. But details about cases may need to be very specific. Specific case reports can bring important specific clinical details to the attention of the medical community. For instance, if doctors had not been willing to describe several cases of pulmonary vein stenosis or two cases of esophageal perforation in a major medical journal years ago, how many more people might have been injured as a result?

But there's problem giving such details about clinical details about patient cases: "the small cell problem:"
Clinicians should be sensitive to the "small cell problem": the existence of individuals with such unique or unusual diagnoses or illnesses, that it might be possible for others (or patients and families themselves) to identify the individuals in case reports or medical text books based upon limited information, such as state or city of residence, age and diagnosis.
The "small cell" problem violates HIPAA and HIPAA means business: millions of dollars of business that gets released in press releases from the Department of Health and Human Services when they catch their prey.

But doctors should not be afraid of publishing case reports especially since there are good reasons for them clinically. Further, when doctors make good faith efforts to conceal patient's personal information in those reports, they should not be subject to threats of HIPAA's "small cell" problem. Simply put: the "small cell" problem is HIPAA's, not the doctors'. Extending the definition of personal health information as defined by HIPAA to include "any other unique identifying characteristic" about a patient's case limits doctors' ability to improve care to our patients while greatly increasing our legal culpability for that effort.

-Wes

7 comments:

Anonymous said...

why not just say south dakota instead of minnesota? the state is not relevant to the case right? or just leave location off altogether.

Dr John M said...

Saying 'South Dakota' might have helped in this case. But many doctors do not blog anonymously.

If I write about a case, it's obvious what hospital it came from. (I only work at one.) Knowing the hospital a case comes from makes for identifiable patient information. (As in it's a small world.)

Sure, I can change details, but in a small medical community, person(s) involved in said case could find identifiable features.

Thus, there is really no way for me to "safely" or "HIPAA-compliantly" write about interesting cases. That's too bad because these discussions offer both patients and doctors good learning opportunities.

Sharp Incisions said...

I'm not from the US, but can't a patient agree to waive their rights under HIPAA to allow this sort of case to be published? I know that if I was a 'small cell' type of patient, I'd want the info out there that might allow those in similar circumstances to mine to be better treated.

David Harlow said...

The bottom line is that HIPAA rules in their current form are just not compatible with our reality. Note that the 18th of those little rules about HIPAA says that not only must you strip out the first 17 categories of identifiers in order for a record to be considered "de-identified," you must also strip out, essentially, *anything else* that might be used to re-identify the de-identified record. Beyond the "small-cell" issue that you note here, the problem is exacerbated, because we, collectively, post as much information online one way or another every two days as was created from the beginning of time until 2003 (an old Eric Schmidt quote; I think I've got that right). Essentially, what was de-identified last week may not be de-identified today. So what does this mean? I've blogged about this as recently as this morning. See: Privacy and Security: Joke or No Joke? (HealthBlawg) – http://vsb.li/VzWPRL and OCR HIPAA Audits Finally Kick Off - Do They Matter? (HealthBlawg) – http://vsb.li/R18boa . As another commenter noted, permission to share may be sought from the patient in question or his or her legal representative. Along those lines, check out the discussions about the "Green Button" and "Rainbow Button" - conceptual responses to the "Blue Button" of VA fame linked to in the second post linked to above that may be used to share information before we get a HIPAA rewrite.

DrWes said...

David-

Great summary of the issues. Doctors, unfortunately, have been caught in the legal squeeze. Nurses, too. The more unusual a patient's case becomes, the more an electronic discussion of any form can be used against us. (Even cloaked message boards (a la Sermo) aren't immune.)

As a result, will we see case reports become extinct?

Seems so.

Carolyn Thomas said...

Simple common courtesy here, docs - get permission from patients or next-of-kin first. These "interesting cases" belong to real human beings, not just you, your readers or your Twitter followers. That is the whole point around protection of privacy.

Duh....

Anonymous said...

Point taken Carolyn. But from what I have read, too many times the permission is NOT given...sometimes due to the too much paperwork and lack of understanding. Medical Researchers suffers...that trickles down to people.