[Transcript] Episode 526: De-Identified or Not? The Truth about HIPAA, AI, and Client Data

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 526: De-Identified or Not? The Truth about HIPAA, AI and Client Data.

 

Liath Dalton 

This is an important episode, because we really want to clarify what de-identified means under HIPAA, and highlight the distinction between de-identified versus anonymized data. Because we’ve been seeing certain claims, for example, from vendors about storing or creating de-identifying transcripts, and those are not HIPAA consistent.

 

Liath Dalton 

So we wanted to unpack what de-identified actually means under HIPAA, so that we’re equipping you to spot red flags and be able to effectively protect client data and make sure that PHI is appropriately recognized as such. That we don’t have service providers trying to carve out what is and isn’t PHI, and therefore what is or is not protected according to HIPAA requirements, when that’s not not appropriate, right?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So what does de-identified mean under HIPAA?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Basically, the definition there is that truly de-identified data under HIPAA is not considered Protected Health Information because it cannot be used to identify an individual. Now, there are two methods where information that is PHI can be de-identified under HIPAA. What are those two methods, Evan?

 

Evan Dumas 

Yeah, you got the Safe Harbor method, which you’ll probably be familiar with when we talk about it, and then you have the expert determination method.

 

Liath Dalton 

Yes, and little foreshadowing here, the expert determination method is really rarely used when we’re talking about direct client interaction, and is more frequently something that you’re going to see in research instances, right?

 

Evan Dumas 

Yep.

 

Liath Dalton 

So, if health information is being used in a research context. So under the Safe Harbor method, we have to kind of begin with a quick overview of the 18 HIPAA identifiers.

 

Liath Dalton 

Basically, if information contains any of these 18 identifiers, and it’s in the context of health info, then it’s PHI. It’s not de-identified PHI. So all of the 18 identifiers must be removed from data. If any one of the 18 identifiers is present, or any part or derivative of one of the 18 identifiers is present, then it is not de-identified. So what are some relevant examples, if we’re talking about therapy transcripts, Evan?

 

Evan Dumas 

Oh, yeah, so you got your classic names, or parts of names, or initials, anything that’s sort of name-like. You’ve got geographic data, like what city they’re in, things like that, anything smaller than a state. Dates related to the time of session. You know, voice recordings, other things. Specific diagnoses that are unique to the client. Even other more obscure things, like this one called identifying characteristics, or unique characteristics, or unique identifying numbers. Like there are so many, and you should read through this list, which hopefully we’ll put in the show notes, and your mind will be a little blown.

 

Liath Dalton  

Yes, indeed, the show notes will include the full list of the 18 identifiers. But I want to, you know, specify that voice recordings or transcripts of speech are considered PHI right?

 

Evan Dumas 

Definitely.

 

Liath Dalton 

Recordings or video recordings. So the myth-busting part here: transcripts, even if they’re scrubbed of names and the other 16 of the 18 identifiers would still constitute PHI and not be de-identified, because narrative clues constitute a unique characteristic. Another rule of thumb, that, just in terms of practical application here is, if the client would recognize themself in it, it is not de-identified.

 

Evan Dumas 

No,

 

Liath Dalton 

Right?

 

Evan Dumas 

No.

 

Liath Dalton 

So something that is truly de-identified under the Safe Harbor method would mean that it could be publicly posted, right, without risk of re-identification. So it’s a very high bar to de-identify PHI. And in the context of session transcripts, it is absolutely impossible. There is no way to have a session transcript be de-identified.

 

Evan Dumas 

Yeah, yeah, no.

 

Liath Dalton 

So now talking about the expert determination method of de-identification under HIPAA. Basically, that entails a qualified expert using statistical methods to determine and document that the risk of identification is minuscule. And it requires formal documentation and justification.

 

Liath Dalton 

So this is not just something that a service provider, like a tech vendor, can make a claim to. It requires a very formal process with appropriate experts, and it’s rarely used by mental health tech vendors because of the complexity and scrutiny involved. And like we said, it’s more typically applied in research contexts.

 

Liath Dalton 

Now, something else that we need to dispel here is the difference between de-identified and anonymized. Because anonymized is not a HIPAA term, but it’s something that we’re more frequently seen being used kind of loosely in tech and marketing.

 

Liath Dalton 

So the difference between anonymized and de-identified is that de-identified, or de-identification is specifically a HIPAA standard that has strict requirements and legal implications. Anonymized does not necessarily equal de-identified, unless it meets either HIPAA Safe Harbor or the expert determination method.

 

Liath Dalton 

So now that we’ve kind of set the scene here. The problem with de-identified transcripts where, here’s the case example: that EHR vendors are talking about generating and storing de-identified transcripts for AI note generation, in one instance without an opt out option.

 

Liath Dalton 

And why this is problematic, is that a transcript by nature, is client specific and inherently identified.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

There is no legitimate way to de-identify, if narrative content is intact and present in a transcript, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

There’s no possible, possible way. Including, you know, the HIPAA attorneys state that there is no such thing as a de-identified transcript.

 

Liath Dalton 

So if you have a vendor that is talking about transcripts being de-identified, and therefore outside of HIPAA scope, then this creates a real ethical concern, right?

 

Evan Dumas 

Mhm, definitely.

 

Liath Dalton 

That there’s lack of lack of understanding of what de-identification means under HIPAA, and therefore what constitutes PHI. And if they’re not appropriately classifying information as PHI, and therefore under HIPAA’s scope, then the necessary safeguards aren’t going to be applied either. Like it just shows a major disconnect.

 

Liath Dalton 

And then, in light of that disconnect and fundamental misunderstanding and misapplication of the HIPAA standards and requirements, how can we entrust them with safeguarding client info, right?

 

Liath Dalton 

So what can you as a clinician or a practice owner or leader do?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Read the fine print, unfortunately, and push on asking questions if anything does not seem aligned with what constitutes PHI and what de-identification entails.

 

Liath Dalton 

So ask the questions of: What identifiers are removed? Has an expert determination method been conducted or applied? If their answers reveal that the Safe Harbor method is not being applied, like an example that came up a couple years ago was a vendor, an EHR vendor, stating that data that contained initials was not PHI. That it was de-identified under HIPAA Safe Harbor standards because it didn’t include names. But they missed the point that any part or derivative of the 18 identifiers is still not de-identified and certainly not de-identified under the Safe Harbor method.

 

Liath Dalton 

So if they say things like, oh, initials are okay. Names are removed, but initials are fine.Big red flag, right?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

And then also be looking for, is there an opt-out or an opt-in to using their AI note taking or transcribing services? It really should be opt-in basis only. Like, there should not be an auto opt-in because,

 

Liath Dalton 

Yeah.

 

Liath Dalton 

you should, you should just, like we say, with appointment reminders for clients, right? They should be opting into receiving those. They shouldn’t be auto opted-in. Well, you shouldn’t be auto opted-in to a service that you don’t feel confident in. Because it’s not the data that’s going to be used for that, the client information that’s going to be used for that service or process that that service provides, doesn’t meet your HIPAA or ethical needs, you need to have an ability to to opt out.

 

Liath Dalton 

I mean, there’s a bigger consideration here, that if they’re providing services that aren’t in alignment with HIPAA requirements and are handling other client info, that you know, considering a vendor switch to a vendor who you can feel confidence in is warranted. But in the like immediate and short term aspect of things you should be able to not, not be opted into something that you don’t want to use and that doesn’t meet your needs, and should at the very least be able to opt out before it actually gets used with any client data. So push, push back on tech that treats client data as fodder for AI.

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

I mean, we increasingly have been seeing vendors stating explicitly that they are not using client data to train their AI models, which is which is interesting. But we also have seen just as many instances where they’re saying it’s going to be de-identified and/or anonymized, and therefore used to improve the quality of the AI note taking generation, right? So that’s something that needs to be evaluated.

 

Liath Dalton 

To wrap all of that up, because really, what we’re wanting to do is make sure that you’re equipped to be able to spot red flags and ask the right questions.

 

Liath Dalton 

The main takeaways are that de-identification under HIPAA is not a loophole. It’s a really rigorous process, and transcripts do not equal and cannot ever be de-identified under HIPAA. A transcript will always be within HIPAA’s scope. And protecting client data, as always, is both a legal and ethical imperative. So push for transparency and connect with us if you need support, navigating your service provider choices.

 

Liath Dalton 

One of the things we love to do at PCT is help practices make sure that all of their functionality needs, for both client care delivery and internal operations, are met through HIPAA consistent systems in a cost effective way that’s going to, you know, provide the most streamlined tech stack for meeting needs efficiently and effectively.

 

Liath Dalton 

And we’ve got a lot of resources, including free resources related to service selection and evaluation. So check out the show notes for links to those resources, as well as our list, which includes the full 18 identifiers.

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

Thanks for listening, and we’ll chat with you next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.