To Protect and Validate: Use of Clinical Data for Simulation Stephanie H. Hoelscher MSN, RN, CHISP/Texas Tech University Health Sciences Center Justin Fair MBA, CPHIMS/University Medical Center March 1, 2016
Conflict of Interest Stephanie H. Hoelscher MSN, RN, CHISP Justin Fair MBA, CPHIMS Has no real or apparent conflicts of interest to report.
Agenda Objectives Purpose Background Domain Build Data Points Technical Strategy Validation Obstacles and Recommendations Conclusion
Learning Objectives Analyze the process used to devise the data points for de-identification of PHI in the new domain Explain the Safe Harbor process of de-identification, as outlined by the Office for Civil Rights (OCR) Describe the obstacles encountered during the validation process
Introduction of Value of Health STEPS Electronic Secure Data By integrating a real EHR into the scenarios, the students will benefit from evidenced based clinical data and support tools. http://www.himss.org/valuesuite
Purpose The purpose is to outline an effective method to de-identify protected health information (PHI) and then validate the efficacy of the process when creating a new electronic health record (EHR) domain for use in a simulation center.
Background The Reason Why are we doing this? Simulation centers can be used for the purposes of teaching electronic documentation to current as well as future nurses, doctors, and other healthcare professionals Simulation centers are currently used in most teaching facilities nationwide With the implementation of EHR the need to ensure students can not only care for patients clinically, but document care, is vitally important
Background The Team An inter-professional research team worked together to strategize the best ways to hide PHI as well as staff and provider data The Team Texas Tech University Health Sciences Center F. Marie Hall SimLife Center Texas Tech University Health Sciences Center School of Nursing University Medical Center Clinical Informatics (UMC) Texas Tech University Health Sciences Center School of Medicine Cerner Corporation
Background Core Group Electronic Health Record-Enhanced Simulation Program (EHR-ESP) Core Group Dr. Susan McBride PI Dr. Sharon Decker Dr. Laura Thomas Dr. Alyce Ashcraft Jeff Watson Shelley Burson Matthew Pierce Steph Hoelscher
Background Organizational Hierarchy
Background The Plan Clinical data from a large inpatient facility in Texas was used to populate a new EHR domain for the purposes of training healthcare professionals Domain Roadmap Construction of new domain (hardware, application, database) Upload of selected patient clinical data Validation of functionality and presence of patient data Scramble event to de-identify the data Validation for scramble efficacy
What do we mean by new domain?
Development of Query Potential Scenario Selection Criteria - Urosepsis Diagnosis of urosepsis Adult, 60 years or older Female Patient not expired at time of query What was actually provided? All sepsis patients with ICD-9 code 995.91 Adult, 60 years or older Female and male Patient not expired at time of query Inpatient visit Medicare or self pay
Process Definitions Verbiage for validation: High level (validation/unit testing) Viewing or testing the basics of the domain A brief scan through the domain Test functionality did we break anything? Test for presence or absence of PHI Deep dive (validation/integration testing) Testing EVERYTHING as thoroughly as possible Search or test every note, folder, form, etc Validation of clinical workflow
Technical Strategy Safe Harbor method of data de-identification (OCR, 2012) This method lists 18 specific data points recommended for deidentification of protected health information Examples include: Names Telephone and fax numbers Social security number Medical record numbers Biometric identifiers, including finger and voice prints Full-face photographs and comparable images
Technical Strategy Image Source: OCR, 2012, p. 23
Technical Strategy The main de-identification tool used was a data scrambling toolkit Created for the purposes of de-identifying or re-identifying patient data in a trainingtype domain (Cerner, 2008) Method = scrambling tool via obfuscation This obliterates the data so that is no longer readable Obfuscation is a mapping method, common data encryption tool Character mapping with scripting Keeps uppercase, lowercase, and numbers intact Does not scramble characters End product appears as gibberish in a structured format
Technical Strategy I walked 11 miles today would translate into O vqsatr 55 dostl zgrqn Image source: Cerner, 2008
Validation Strategy A basic validation strategy for using clinical de-identified data To determine the at-risk data points This includes the list of institutional, as well as national requirements for the de-identification of patient data (OCR, 2012) To measure the success of de-identification, the data to be validated needs to be established prior to de-identification
Validation Process
Validation
Validation
Success! Image source: Cerner, 2008
Challenges for Validation Limited literature with solutions Ethical considerations IRB submission Faculty and staff HIPAA compliance Scrambling tool limited in capabilities Due to free text, manual validation was mandatory Scripting required to encompass free text entries Request for provider and staff de-identification, as well as patient PHI Custom fields proved difficult
Recommendations You have to have the right team, practice partners, vendors Make sure to include your executives in your academic partnership with the inter-professional team Governance and oversight Executive champions Get your providers involved, they can be invaluable Students are interested in having an EHR in their learning experience (Sherrill & Breed, 2008) Thoroughly map out of your process in advance Document, document, document
Recommendations Limit the number of cases to validate 5 cases is much easier than 100 Depending on the size of your facility, there may be limited personnel with the necessary skill set to accomplish the tasks Part of the goal is to develop ways to offset this load Regardless of the size of your facility, you can do this!!! Obstacles will arise, these may delay your progress Leaders need to be attentive to delays, but don t let them discourage you! Communicate effectively Be flexible with issues that are not foreseen or could not be avoided
Conclusion The process is repetitive, but worth it We continue to validate and develop new, expanded scripting with our vendors Goal = make it PERFECT! An inter-professional team really works Well organized meeting schedule Good buy-in from executives, faculty, and providers Research and development continues More scenarios Stay tuned! Manuscript hopefully coming this spring Toolkit development to include validation guide and possibly workshops
Summary of Value of Health STEPS Electronic Secure Data By developing ways to effectively de-identify PHI, we will be able to use true clinical data for education and analysis as needed. http://www.himss.org/valuesuite
Questions Stephanie H. Hoelscher MSN, RN, CHISP steph.hoeslcher@ttuhsc.edu @xannthippe Justin Fair MBA, CPHIMS justin.fair@umchealthsystem.com @FairTime81
References Cerner Corporation. (2008). Data masking & management of test databases: A database scrambler white paper [PDF]. Retrieved from http://www.cerner.com/solutions/white_papers/ Matney, S., Brewster, P.J., Sward, K.A., Cloyes, K.G., & Staggers, N. (2011). Philosophical approaches to the nursing informatics data-information-knowledge-wisdom framework. Advances in Nursing Science, 34(1), 6-18 Milano, C. E., Hardman, J. A., Plesiu, A., Rdesinski, R. E., & Biagioli, F. E. (2014). Simulated electronic health record (sim-ehr) curriculum: Teaching EHR skills and use of the EHR for disease management and prevention. Academic Medicine, 89(3), 399-403. Retrieved from http://ovidsp.tx.ovid.com.ezproxy.ttuhsc.edu Office of Civil Rights (OCR). (2012). Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/de-identification/hhs_deid_guidance.pdf Sherrill, K., & Breed, D. (2008). Three partnerships to teach nurses about electronic documentation and the EHR [PowerPoint slides]. Retrieved from http://www.thetigerinitiative.org/docs/partnershipstoteach nurse show touseelectronichealthrecords.pdf Tappen, R.M. (2011). Advanced Nursing Research: From Theory to Practice. Sudbury, MA: Jones & Bartlett Learning