It was an interesting tweet that referenced a soon-to-be-published case report from the Annals of Emergency Medicine (via @EmergencyDocs) that piqued my interest:
Thrilling case study: emergency doc cracked chest to save 42 y/o woman in cardiac tamponade after ablation therapy.http://bit.ly/umnydc
Details about the case are quite specific and the case reports heralds from a town in Minnesota. It describes, in very specific detail, the management of a patient who presented to the emergency room in shock from cardiac tamponade after a catheter ablation procedure for right ventricular outflow tract tachycardia.
Is this unique case report HIPAA compliant?
I would say, according to our current definition of HIPAA’s "personal health information," such a case report is not HIPAA compliant. Nor could such a case be mentioned on a blog, for that matter, even though it presents important information for people dealing with these patients.
There is an important quality-of-care role in telling these clinical stories. In fact, HIPAA states there are just "18 little rules" that doctors are supposed to follow when they report important clinical cases. But details about cases may need to be very specific. Specific case reports can bring important specific clinical details to the attention of the medical community. For instance, if doctors had not been willing to describe several cases of pulmonary vein stenosis or two cases of esophageal perforation in a major medical journal years ago, how many more people might have been injured as a result?
But there’s problem giving such details about clinical details about patient cases: "the small cell problem:"
Clinicians should be sensitive to the "small cell problem": the existence of individuals with such unique or unusual diagnoses or illnesses, that it might be possible for others (or patients and families themselves) to identify the individuals in case reports or medical text books based upon limited information, such as state or city of residence, age and diagnosis.
The "small cell" problem violates HIPAA and HIPAA means business: millions of dollars of business that gets released in press releases from the Department of Health and Human Services when they catch their prey.
But doctors should not be afraid of publishing case reports especially since there are good reasons for them clinically. Further, when doctors make good faith efforts to conceal patient’s personal information in those reports, they should not be subject to threats of HIPAA’s "small cell" problem. Simply put: the "small cell" problem is HIPAA’s, not the doctors’. Extending the definition of personal health information as defined by HIPAA to include "any other unique identifying characteristic" about a patient’s case limits doctors’ ability to improve care to our patients while greatly increasing our legal culpability for that effort.
-Wes