|
HIPAA Privacy and Publishing
Like other scientific journals, the Visible
Human Journal of Endoscopy (VHJOE) does not publish any patient
identifying information associated with its clinical reports.
Historically, with print based images, such information was
removed by the author prior to submission of an image to a
journal for publication. With electronically submitted images
and video clips, authors need to be diligent in assuring that
all such information is remove from both the image and any
imbedded header information that is associated with the image.
The Health Insurance Portability and Accountability Act of
1996 (HIPAA) (1,2) is very explicit in stating that any transfer
of protected health information (PHI) from a healthcare entity
for research requires explicit consent of the patient. Transfer
of images to the editorial staff, for subsequent removal of
PHI, is therefore prohibited. It is the responsibility of
the author to appropriately de-identify all images prior to
submission.
So what is PHI? Under HIPAA, there are 18 pieces of information that are considered identifiable of a patient. Data is de-identified if it does not contain this information and there is no reasonable basis to believe that the remaining data can be used to identify a specific individual. The 18 pieces of information are the following:
· Name
· Postal address (geographic subdivisions smaller than state)
· All elements of dates, except year (birth date, if over 89, must be aggregated)
· Phone number
· Fax number
· E-mail address
· Social Security number
· Medical Record number
· Health Plan number
· Account numbers
· Certificate/license numbers
· URL
· IP address
· Vehicle identifiers
· Device ID
· Biometric ID
· Full face/identifying photo
· Any other unique identifying number, characteristic, or code
Of these, the patient name, medical record number and exam
date are the identifiers most commonly found displayed as
an overlay on an image or movie clip. As DICOM (3) becomes
more common in GI, other identifiers are likely to be found
imbedded in the image header. Most DICOM implementations now,
or shortly will, have "anonomizer" routines for
stripping images of these identifiers. On screen or video
captured images however, these identifiers are often "burnt"
into the image display and "anonomizer" routines
will not remove them from the visible portion of the image.
The easiest way then to prepare a HIPAA compliant image clip
to be submitted for publication is to remove the patient identifying
information prior to recording the study. If an electronic
clip is recorded, it’s header information must be scrubbed
of PHI using an anonomizer routine. For DICOM images, this
may be available from your equipment manufacturer or from
public domain sources (4). If a video tape is recorded, and
PHI is visible, you will need to crop the video prior to transferring
to the publisher. This can be readily done with commercial
professional video editing products such as Adobe Premiere©
(5) and Final Cut Pro© (6). QuickTime movies can also
be viewed and cropped with ImageJ (7), a public domain image
processing and analysis program, available free from the NIH
website below. With ImageJ, I was able to crop both grayscale
and RGB movies, even ones up to 50 MB in size, by simply selecting
a region and the "crop" function as illustrated
in Figures 1 and 2.
MPEG movies need to be converted to QuickTime for use in ImageJ.
This can be done with QuickTime Pro (8) (I used QuickTime
5.0RT and saved the movie with default settings).
It is the responsibility of the author to remove PHI from
any medical information submitted for publication. Penalties
under HIPAA, for non-compliance include fines from $100 for
accidental violations and up to $250,000 and prison time for
deliberate violations. VHJOE is unique in its ability to provide
access to clinical video presentations. To continue this we
must all be diligent in ensuring the privacy of our patients.
References
1. United States Department of Health and Human Services,
Office for Civil Rights - HIPAA. Medical Privacy - National
Standards to Protect the Privacy of Personal Health Information.
http://www.hhs.gov/ocr/hipaa/
2. United States Department of Health and
Human Services, Office for Civil Rights - HIPAA. Medical
Privacy - National Standards to Protect the Privacy of Personal
Health Information: OCR Guidance Explaining Significant Aspects
of the Privacy Rule. http://www.hhs.gov/ocr/hipaa/privacy.html
3. DICOM. http://medical.nema.org/
4. Escott EJ and Rubinstein D. Free
DICOM Image Viewing and Processing Software for Your Desktop
Computer: What’s Available and What It Can Do for You.
RadioGraphics 2003; 23:1341-1357; Published online
10.1148/rg.235035047.
5. Abobe Systems Incorporated. Adobe
Premiere Pro. http://www.adobe.com/products/premiere/
6. Apple Computer, Inc. Final Cut Pro
4. http://www.apple.com/finalcutpro/
7. National Institutes of Health, Research
Services Branch. ImageJ. http://rsb.info.nih.gov/ij/
8. Apple Computer, Inc. QuickTime Pro.
http://www.apple.com/quicktime/upgrade/
|
