Prospective study of clinician-entered research data in the Emergency Department using an Internet-based system after the HIPAA Privacy Rule

Abstract

Background Design and test the reliability of a web-based system for multicenter, real-time collection of data in the emergency department (ED), under waiver of authorization, in compliance with HIPAA. Methods This was a phase I, two-hospital study of patients undergoing evaluation for possible pulmonary embolism. Data were collected by on-duty clinicians on an HTML data collection form (prospective e-form), populated using either a personal digital assistant (PDA) or personal computer (PC). Data forms were uploaded to a central, offsite server using secure socket protocol transfer. Each form was assigned a unique identifier, and all PHI data were encrypted, but were password-accessible by authorized research personnel to complete a follow-up e-form. Results From April 15, 2003-April 15 2004, 1022 prospective e-forms and 605 follow-up e-forms were uploaded. Complexities of PDA use compelled clinicians to use PCs in the ED for data entry for most forms. No data were lost and server log query revealed no unauthorized entry. Prospectively obtained PHI data, encrypted upon server upload, were successfully decrypted using password-protected access to allow follow-up without difficulty in 605 cases. Non-PHI data from prospective and follow-up forms were available to the study investigators via standard file transfer protocol. Conclusions Data can be accurately collected from on-duty clinicians in the ED using real-time, PC-Internet data entry in compliance with the Privacy Rule. Deidentification-reidentification of PHI was successfully accomplished by a password-protected encryption-deencryption mechanism to permit follow-up by approved research personnel.