RE: PRIVACY - USE OF PHI IN TRAINING

[Line, Phyllis]

We too are looking at this issue. We are a health plan and currently use live data for training purposes. The live data is stored in a test region of our system and is periodically updated. One solution we are looking at is to scramble the demographic data such as name, ssn, dependent names, address, etc. before it is loaded to the test region. Although, this does not meet the true definition of de-identification, we feel that it may be a reasonable way to safeguard the PHI. Keep in mind, access to our test region is tightly controlled by user. Only those users who have a need to know have access to the test data. Individuals being trained, using the modified live data, are the same staff that will have access to this information for the purpose of performing the functions of their jobs. In addition, the test data is not shared with any outside entities. I sure would be interested in hearing how others are addressing this question.   Phyllis Line HEREIU Welfare Fund HIPAA Privacy Officer (630)236-5114      -----Original Message----- From: Kelly, Lee [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 8:14 AM To: [EMAIL PROTECTED] Subject: RE: PRIVACY - USE OF PHI IN TRAINING Although this may take a while to setup, why not just use 'dummy data'? Real-life scenarios can be generated for fictitious persons (with fictitious characteristics).   For example: Frank N. Stein submits a claim for neck surgery. He lives at 1313 Mockingbird Lane. His doctor (Jekyll of course!) has prescribed Darvon for pain medication.     Lee Kelly, CISSP Manager, Assessment Services Fortrex Technologies, Inc. 1-877-367-8739 (Office) 301-906-6269 (Cell)   -----Original Message----- From: Bard, Greg [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 08:48 To: [EMAIL PROTECTED] Subject: FW: PRIVACY - USE OF PHI IN TRAINING     I am submitting this question in the hope that I can gain some assistance in responding to constant internal inquiries about the use of protected health information for training purposes.   My company is a business associate, acting on behalf of large payers.  As part of this process, claims are submitted, processed, etc...  From time to time, my company will provide training on the system that is used to process these claims.   The question that is being posed is that since this data truly belongs to the payer and we are providing training as a service to the payer that we act on behalf of, can we not include language in a Business Associate contract to state that we will provide training with the use of the payer's data.   I totally disagree with this because the privacy regulation is concerned about the privacy of an "individuals' data.  The owner is not the point.  It is the individual's data we are trying to protect and without an individual authorization, I do not see this as allowable.   Anyone who has any thoughts on this topic would greatly be appreciated.       Greg Bard NASCO HIPAA Privacy and Security Project Manager (W) 678.441.6059 (F)  678.441.6359 [EMAIL PROTECTED]         The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.