Re: PRIVACY - USE OF PHI IN TRAINING

[Doug Webb]

Kelly, You used my favorite pseudo-person.   If you peruse fiction enough, it should provide enough non-persons to de-personalize a usable set of data.  Be sure to scramble numbers & dates if you base your fictionous people on real events.   The trick is to be sure that your training set covers all the situations that are need to be covered.  This may be easier creating pseudo-persons than selecting real ones.   Douglas M. Webb Computer System Engineer Little Company of Mary Hospital & Health Care Centers     ----- Original Message ----- From: Kelly, Lee To: [EMAIL PROTECTED] Sent: Tuesday, September 10, 2002 08:14 AM Subject: RE: PRIVACY - USE OF PHI IN TRAINING Although this may take a while to setup, why not just use �dummy data�? Real-life scenarios can be generated for fictitious persons (with fictitious characteristics).   For example: Frank N. Stein submits a claim for neck surgery. He lives at 1313 Mockingbird Lane. His doctor (Jekyll of course!) has prescribed Darvon for pain medication.     Lee Kelly, CISSP Manager, Assessment Services Fortrex Technologies, Inc. 1-877-367-8739 (Office) 301-906-6269 (Cell)   -----Original Message----- From: Bard, Greg [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 08:48 To: [EMAIL PROTECTED] Subject: FW: PRIVACY - USE OF PHI IN TRAINING     I am submitting this question in the hope that I can gain some assistance in responding to constant internal inquiries about the use of protected health information for training purposes.   My company is a business associate, acting on behalf of large payers.  As part of this process, claims are submitted, processed, etc�  From time to time, my company will provide training on the system that is used to process these claims.   The question that is being posed is that since this data truly belongs to the payer and we are providing training as a service to the payer that we act on behalf of, can we not include language in a Business Associate contract to state that we will provide training with the use of the payer�s data.   I totally disagree with this because the privacy regulation is concerned about the privacy of an �individuals� data.  The owner is not the point.  It is the individual�s data we are trying to protect and without an individual authorization, I do not see this as allowable.   Anyone who has any thoughts on this topic would greatly be appreciated.       Greg Bard NASCO HIPAA Privacy and Security Project Manager (W) 678.441.6059 (F)  678.441.6359 [EMAIL PROTECTED]         The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.