Reminder: Do not include any PHI or PII in Confluence. If you require 508 accessibility assistance or any other support for this system, then please send an email to onc-jira-questions@healthit.gov
Please provide any feedback regarding this scenario in the comment form below or by clicking here. |
---|
The objective of this use case is to raise the issues associated with creating unique identifiers that can be used for two purposes (1) to re-identify current and potential research participants so that they can be contacted and (2) so that data can be linked across data sources to create a longitudinal record.
A number of technical and procedural solutions exist and are in widespread use operationally. A “match” approach that uses patient information like SSN, account numbers, names, addresses, and phone numbers is typically used as part of systems administered by healthcare operations. These methods can employ either deterministic methods, relying on exact matches across systems, or probabilistic methods (inexact). Typically, patients are not involved in verifying linkages of accounts within or across systems.
Implementation of an identifier either within or across institutions is a precondition for multiple scenarios. There are clear HIPAA guidelines regarding standards for creating these identifiers within an organization for purposes of research. However, because linkage requires creating identifiers, which requires sharing information across organizations, privacy and liability become concerns.
Some questions to consider:
- What are risks, liabilities, and benefits of Participant-managed systems vs. Researcher managed systems vs. Operationally managed systems?
- What are the workflows and pros and cons of creating identifiers on a project-by-project basis vs. maintaining identifiers over networks, registries, or initiatives intended to operate over multiple projects?
- In your experiences, are IRBs, legal and privacy offices well prepared to make determinations on this question?
- What is the feasibility of participants self-managing linkage information across sources? What types of patients would be excluded from population-based research using EHR and claims data if contact is required for data linkage?
- To what extent are patients' concerns addressed with technical approaches that leverage cryptographic methods?
- To what extent are covered entities’ and other liable parties’ concerns addressed with technical approaches that leverage cryptographic methods?
- Some research organizations have opted to reuse identifiers created for Regional Health Information Exchanges. What are the implications of this practice?
Title | Response |
---|---|
Description | To protect privacy and conform to regulatory concerns, unique identifiers for research must be applied with researcher-administered systems to link data over time and across data sources. |
Primary actor/participant | Research Teams, Covered Entities, Patients/Participants |
Support actor/participant | Information systems |
Preconditions | Identifying information that can be used to reliably link records across independently regulated data sources is available. |
Postconditions | Unique, potentially reusable identifiers are created in according to well-accepted known regulatory standards. |
Alternative |
|
Data Elements Considered | Personally Identifiable Information (PII) and encrypted versions of PII |
Purpose of the Data Collection | Treatment, Payment, Operations |
Purpose of Data Use | Creation of potentially reusable unique identifiers |
Terms of Transfer to the Data Holders | Treatment, Payment, Operations |
Terms of Transfer to Researchers | IRB approval, potentially waiver of authorization |
Anchor | ||||
---|---|---|---|---|
|