Stream: implementers
Topic: Patient Resource ID and HIPAA
Amy Richards (Dec 09 2020 at 00:58):
Does anyone know if FHIR Patient Resource ID considered PHI under HIPAA rules?
Grahame Grieve (Dec 09 2020 at 01:04):
previous discussion has been based on the id that the resource id itself isn't, but it's a likely path to get to PHI
John Moehrke (Dec 09 2020 at 17:23):
the patient resource ID would not be fully "PHI", it might be the "Identifier" that links some "Health" information that is "Protected", but just the ID is not P + H + I
John Moehrke (Dec 09 2020 at 17:25):
but as Grahame points out... it is an identifier. It might be an identifier that is opaque (a GUID or such). But as an identifier it can be used to group all other FHIR resources that are associated with that same individual, and where access to the Patient resource is available it could be seen as a direct identifier.
John Moehrke (Dec 09 2020 at 17:26):
so, yes it should be considered a "Direct Identifier".
John Moehrke (Dec 09 2020 at 17:27):
see the security considerations in the FHIR core http://hl7.org/fhir/security.html#Patient
John Moehrke (Dec 09 2020 at 18:32):
John Moehrke said:
so, yes it should be considered a "Direct Identifier".
just to clarify... the id likely is technically a "quasi identifier" or "indirect identifier".. but it is so strongly associated (it is the relational linkage) with all the data and direct identifiers that it likely should be considered a "Direct Identifier".
Lloyd McKenzie (Dec 10 2020 at 03:08):
In theory, a system could choose to stick sensitive information in the id. However, anyone who designs a system that does that deserves the flogging they'll receive.
Last updated: Apr 12 2022 at 19:14 UTC
