search

CDCgov / prime-reportstream

ReportStream is a public intermediary tool for delivery of data between different parts of the healthcare ecosystem.
https://reportstream.cdc.gov
Creative Commons Zero v1.0 Universal
73 stars 40 forks source link

Review what we have marked as PII #1043

Closed jimduff-usds closed 6 months ago

jimduff-usds commented 3 years ago

Review every field in covid-19.schema, and decide if our PII designations are correct.

If no pii designation is present, then PII = false, that is, the field is NOT considered to be PII.

In particular, what about ordering_provider info - are they protected as well?

Key relevant document is : https://www.hhs.gov/sites/default/files/covid-19-laboratory-data-reporting-guidance.pdf

jlusds commented 3 years ago

From experience at my previous company, ordering_provider info IS NOT PII

Looking through https://github.com/CDCgov/prime-data-hub/pull/821/commits/cbb682d6558eebd374d4f18fe1a42579a2ad5031, here are the fields that are currently flagged as PII that I don't think are PII. I didn't see any flagged as NOT PII that should be reversed.

ordering_provider_city ordering_provider_phone_number ordering_provider_street ordering_provider_street2 patient_occupation patient_suffix

jlusds commented 3 years ago

@jimduff-usds let me know if you have any questions

jlusds commented 3 years ago

Let me know if you need another review!

jimduff-usds commented 3 years ago

@jlusds - I think I was misinterpreting the guidance, regarding the orderingprovider* fields. The guidance says,

The following additional demographic data elements should also be collected and reported to state or local public health departments but these data will not be collected by CDC or the Secretary’s designee. State and local privacy standards apply to the collection of these data elements. (Note: additional data elements may be requested by state, local or federal health departments at any time.)
1. Patient name (Last name, First name, Middle Initial)
2. Patient street address
3. Patient phone number with area code
4. Patient date of birth
5. Ordering provider address
6. Ordering provider phone number

Since the first 4 are PII, I assumed the last two are PII as well, but it actually doesn't say that. So I agree with you - let's make orderingprovider* stuff to be non-PII.

I disagree on patient_occupation and patient_suffix:

I think patient_occupation could be PII, if you are in a very narrow job category. FWIW, I don't think anyone is sending us patient_occupation, so its kinda moot anyway.

And the patient_suffix is part of the patient name, so I do think its PII.

jlusds commented 3 years ago

Thanks for the additional detail! I'm fine making occupation and suffix PII

jlusds commented 3 years ago

Is this done?

anshulkumar-usds commented 2 years ago

@jimduff-usds looks like you and James were working on this. Is this still an open issue?