On April 9 students from the University of Delaware contacted the Delaware Division of Developmental Disabilities Services (DDDS) regarding a research project. The students requested demographic and disability status information on 350 patients. A staff member provided the information to the students but failed to deidentify PHI, resulting in a HIPAA violation.
In a letter sent to breach victims, DDDS stated that students were conducting a research study in which they were using geo-mapping to identify service gaps.
The letter stated, “For the purposes of the project, the UD students requested information about service recipients living within a specific geographic area, as well as basic demographic information such as age range and disability status. In response, a DDDS staff person sent information, via email, to the four students on April 9, 2020 for use in their final project.”
The information that was provided to the students for their project included protected health information (PHI) such as names, dates of birth, primary diagnosis information, and county information.
On May 8, students were presenting their results via a Zoom meeting, with DDDS staff members in attendance. When the students were presenting they shared PHI with attendants which led DDDS senior leadership to immediately stop the presentation. DDDS also asked the students to delete all files containing PHI including all emails, shared files, and their final presentation.
Organizations Must Deidentify PHI for Research
This constituted a breach, because although PHI is permitted to be shared without patient consent for research purposes, the data must first be deidentified. To deidentify PHI, the information must have unique identifiers removed so that cannot be tied back to a specific individual. As such, deidentified data removes any personally identifiable information such as patient names, addresses, email addresses, Social Security numbers, zip code (if there are less than 20,000 people living in the area), biometrics, full facial photos, etc.
Although the employee blacked out Social Security numbers before sharing the files with the students, since the employee failed to remove patient names from the files, this is considered a HIPAA violation.