Are Open Source Clinical Decision Support (CDS) Services Subject to HIPAA Regulations?

Noam H. Arzt, Ph.D.Clinical Decision Support (CDS) services such as HLN’s Immunization Calculation Engine (ICE) are modular, loosely-coupled components of larger systems accessed via web services in a service-oriented architecture (SOA). Under HIPAA, services provided to Covered Entities (CE) which involve protected health information (PHI) as defined in the statute are subject to the regulation. But are CDS services such as ICE subject to this regulation?

A key consideration in determining the applicability of HIPAA regulations to this service is the nature of the data transmitted by the sender to the web service, and the nature of the data returned by the web service to the sender. Currently, all messages to and from the ICE web service conform to version 1.0 of the HL7 Virtual Medical Record (vMR) standard which is expressed in eXtensible Markup Language (XML). As defined in its Implementation Guide, ICE requires the following (and only the following) patient data to be sent:

  • Patient date of birth (month, day, year)
  • Patient gender using standard coding
  • Patient disease immunities, if any, consisting of a standardized code and an effective date for the observation (only certain ICD-9 and ICD-10 codes are valid for a limited number of conditions)
  • Patient immunization history, if any, consisting of a standard Vaccine Code (CVX) and date of administration for each dose submitted

When producing the output of evaluations and recommendations to the client, ICE will first mirror what was provided in the vMR input message and then supplements the provided information with additional elements and attributes. So, ICE returns the following (and only the following) patient data to the sender:

  • Patient date of birth (month, day, year) echoed from the input message
  • Patient gender using standard coding echoed from the input message
  • Patient disease immunities, if any, consisting of a standardized code and an effective date for the observation (only certain ICD-9 and ICD-10 codes are valid for a limited number of conditions) echoed from the input message
  • Patient immunization history, if any, consisting of a standard Vaccine Code (CVX) and date of administration for each dose submitted supplemented by an evaluation of the validity of the dose administered and one or more coded values for the evaluation reason
  • For each valid vaccine series or group, a recommendation indicating the completion status or recommended due date for that vaccine group, as well as a coded reason for that recommendation

Several issues arise with respect to vMR messages used by ICE:

  • Though there is no patient-identifying information within either a message submitted or generated by ICE, there are two fields (date of birth and gender) which appear to render the message as “identifiable” under HIPAA’s “safe harbor” method of data de-identification, meaning any records that contains these fields (and up to sixteen others) are considered “identifiable” and are subject to the regulation; removing these fields would make the data de-identified. A second method is available to render data de-identified: the “expert determination” method has a noted expert in the field determine through a structured and documented process that the risk of exposure for this dataset is very small. In the case of ICE, it would mean proving that even if one got ahold of a vMR message to or from ICE that the identity of the subject of the message cannot be discerned from the message or in combination with any other supplemental information generally available to the public.
  • A vMR-formatted message can contain additional patient data which is ignored by the ICE web service. However, the web service cannot control the information submitted by a sender potentially resulting in potential unintended but real exposure.
  • Care should be taken to avoid storing audit records that contain PHI or unnecessary enabling of a debug mode that might expose PHI.

Even though they contain a minimum of identified information, ICE transactions likely do not rise to the HIPAA definition of de-identified data, and in addition an ICE implementation cannot control the data that is submitted by others to the service. The expectation of clients who are HIPAA Covered Entities would likely be that a hosted ICE service should be covered by a HIPAA Business Associates Agreement (BAA); even some exempt entities use HIPAA requirements as a surrogate for appropriate information privacy and security practices. HLN conducts additional security testing and provides documentation to assure clients about the robustness and security of the ICE web service and its tools. Additional responsibility is borne by the hosting entity to ensure that hosted CDS services are secure.