October 2011 eUCI and You Ryan White Services Report HIV/AIDS Bureau, Health Resources and Services Administration Welcome to the eUCI and You video! This is one of several videos to help orient you to the Ryan White Service(s) Report – a report submitted annually to the HIV/AIDS Bureau in the Health Resources and Service Administration by Ryan White grantees and providers. This 8 and a half minute video will present what you need to know about the eUCI, or the encrypted Unique Client Identifier. If you still have questions, we present some TA resources at the end of the video.
1 2 3 This video will answer… What is the eUCI? 2 How does the eUCI ensure the de-identification of client data? 3 How can I incorporate the eUCI into my data system? This webcast has three short segments. In the first segment, we tell you what the eUCI does. (2) The second section focuses on privacy and security. We show how the eUCI helps protect client data so they are private and secure. (3) In the third section, we explain how the eUCI can be incorporated into a your data system. We will also show you consistent ways to deal with special data.
Purpose of the eUCI Client Privacy Link Reports Ensures client privacy and the security of health care information through encryption Client Privacy Links client health and service utilization data across providers and over time Link Reports Purpose of the eUCI The eUCI has two main goals. (1,2) First, because the eUCI contains limited personal identifying information, client data within the RSR are protected and client privacy is maintained. (3,4) Second, through the eUCI, HAB can link reports that belong to the same client, but are received at different points in time or from multiple providers. Each client should have his/her own eUCI and that eUCI should not change over time or across providers (unless, of course, the underlying data elements change).
Overview of the eUCI The URN acts as the RSR UCI The UCI is encrypted 1st and 3rd letters of first name 1st and 3rd letters of last name Full date of birth Gender code The UCI is encrypted The UCI is encrypted with the SHA-1 hashing algorithm Final character assigned by the provider “U if unique within the provider site “A”, “B”, or “C”, etc… if not unique Overview of the eUCI The UCI selected for the RSR System is the Unique Record Number, or URN. Many of your data reporting systems already create the URN. It has 11 characters and uses the first and third letters of first name, first and third letters of last name, full date of birth, and a code for gender. (1) To remove identifying data from the UCI, it is encrypted with the SHA-1 hashing algorithm. This meets the highest current standards. We will discuss it in greater detail in segment 2 of the presentation. The encryption turns the 11 characters of the URN/UCI into a 40-character string of letters and numbers. (2) The final, 41st character of the eUCI indicates whether any other client at the point of service has the same 11-character UCI by comparing it to existing UCIs within the system. This comparison process should be performed by the provider. If a client does not share the same UCI with another client, the final eUCI character is “U” for unique. If clients do share the same UCI, the first client should receive an “A”, the second client a “B” and so on. Providers typically determine whether two records with the same UCI are actually the same person by reviewing other data elements within the system, such address or phone number. If the duplicate records with the same UCI are, in fact, the same client, the client data elements must be merged and reported under one record. If the records represent different clients, the 41st character of the eUCI should be changed to “A”, “B”, “C”, etc. Through this process, no two clients within the same provider site should share the same eUCI.
Client intake data is loaded into your data system eUCIs Are Created at Point of Service Client intake data is loaded into your data system You build the UCI and the eUCI at the point of service. This depends on the intake or registration process. When a funded client visits a Ryan White provider or grantee for health care services, (1) at intake, that client provides personal information such as name and date of birth. (2) You then load into your data system.
The UCI is created from this personal information A program within your system encrypts the UCI, creating the eUCI The eUCI is created as part of the client-level data XML file You upload the client-level data XML file to the RSR system (1,2) A program within the system takes pieces of the personal information to create the UCI and (3,4) encrypt it. (5,6) The eUCI is created as part of the client-level data XML file. (7,8) When this file is uploaded to the RSR system, it has been stripped of personal information such as name, DOB and is identified only by the eUCI.
HAB receives client-level data files from multiple providers with this same eUCI and merges these reports When HRSA/HAB receives more than one report with the same eUCI, these reports can be merged (1). With these merged reports, HRSA sees a more complete picture of the client’s health and service utilization history.
How does the eUCI ensure the de-identification of client data? This video will answer… How does the eUCI ensure the de-identification of client data? Now that we have a good understanding of how the eUCI is generated and used within the RSR System, we will go into greater detail about its role in promoting client privacy and the security of Ryan White client data.
The Security of Health-Related Data Has Become Increasingly Important HIPAA (1996) protects patient health-related data The Privacy Rule (2003) makes new requirements for the use of confidential data HIPAA requirements are the minimum allowable; some states have enacted even stricter laws Rules change – we will show you where to check to stay up to date (1) In 1996, the Health Insurance Portability and Accountability Act, commonly known as HIPAA, was passed to protect patients’ health-related information. (2) In 2003, the Privacy Rule made clearer which entities fall under HIPAA’s mandate. (3) As HIPAA serves only as the “floor” of client privacy and data security, grantees and providers in many states have to follow even stricter protocols. (4) These rules change and at the end of the presentation, we will provide a link to use to keep up to date with emerging privacy rules.
Name: John Doe, DOB: February 2, 1964, Male eUCIs Protect Health Information by Removing Individually Identifiable Components Name: John Doe, DOB: February 2, 1964, Male UCI: JHDE0202641 The eUCI encryption technique supports HIPAA compliance because identifiable information is not transmitted through the RSR System. (1) Imagine a client named John Doe who is born February 2, 1964. (2,3) The unencrypted UCI in row 2 still has identifiable information, such as full date of birth and the client’s initials. Combined with other data in the Ryan White Service Report, this information could be used to identify the client. (4,5) With encryption, however, the UCI is converted into a seemingly random string of letters and numbers, making the eUCI unidentifiable information. eUCI: 8417D5706B0B40E52BA8FE4F95460CB9DC2223AAU
The UCI is Unrecoverable from the eUCI (1, 2, 3, 4) The encryption technique selected for the UCI is the SHA-1 Algorithm. This is a trap door algorithm – meaning that the UCI cannot be deciphered from the eUCI. The SHA-1 was designed by the National Security Agency. It is employed in several widely used security applications and protocol, and meets highest federal standards, including being required by law for use in certain U.S. Government applications.
How will the eUCI be incorporated into my data system? This video will answer… How will the eUCI be incorporated into my data system? In the final segment of this webcast, we provide you with an overview of how to the eUCI is incorporated into your data systems.
The eUCI algorithm is integrated into RSR-Ready Systems T-REX also has a built-in eUCI creation function All other providers should use the eUCI Application Grantees/ providers must use the same algorithm in the same way to create the eUCI (3) If you use T-Rex to transform your client data into the correct kind of XML file, that is just fine. T-REX also has the eUCI generation function, so you don’t need the separate application. Once again, make sure you are using the most recent version. (1) For the same eUCI to be generated for a given client across provider sites, all providers must use identical algorithms for creating and encrypting the UCI. (4) In other cases, you must install the eUCI Application. We’ll show you how to find this application at the end of this video. Remember how to make the URN? And how the URN becomes the UCI? That could be done by hand. It would also be easier to figure out. The UCI becomes the eUCI with a special software program. (2) If you use an RSR-Ready System, just make sure you use the most recent version. The eUCI software is already built in.
The eUCI Application If you do not currently use the URN Creates the UCI from data elements located within the your data system Encrypts the UCI to create the eUCI If you do not currently use the URN Encrypts the UCI, already created by your data system to create the eUCI If you currently use the URN The eUCI Application The eUCI Application does two things. (1,2) If your data system does not use the URN, the eUCI application will use the data you have to create the UCI. Then it will encrypt the UCI to create the eUCI (3,4) If your data system already creates the URN internally, the eUCI Application will use that for the UCI and then encrypt it. Note that the eUCI application cannot de-duplicate your data. If you use the eUCI Application to create the eUCI from individual data elements, all eUCIs will have a 41rst character of “U” regardless of how many records share the same data elements. If you use the eUCI application to encrypt the UCI, you must first determine if records with the same UCI are actually the same client and append the final digit to the 11-digit UCI. The eUCI Application instruction manual has more information on this process.
Spaces, apostrophes, hyphens Invalid eUCI Missing data Third character = 9 Two-character names Replaced with a 9 Spaces, apostrophes, hyphens Replaced with non-accented letters Accented letters The eUCI Application This slide shows how the eUCI Application deals with special data. (1,2) If any data elements are missing, the eUCI will not be created. (3,4) If a client’s first or last name is less than three characters, a 9 will act as the third character. (5,6) Spaces, apostrophes and hyphens are not dropped. If they are the first characters of either first or last name, the eUCI is invalid. If they are the third characters, they are replaced with a “9“. (7,8) Accented letters are replaced with non-accented letters.
eUCI Resources Download the eUCI Application and User Manual here: https://performance.hrsa.gov/HAB/RSRFiles/ Contact the DART Team (Data.TA@cicatelli.org) for support Guidelines for Creating the eUCI Document: http://careacttarget.org/library/Guidelines_for_Creating_the_eUCI.pdf List of RSR Ready systems: http://www.careacttarget.org/library/Vendor_Status_and_Contact_Information.pdf Link to HIPPA regulations: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html You can download the eUCI application from the HRSA website. If you have more questions about the eUCI, don’t hesitate to contact Ellie Coombs. The user guide that accompanies the eUCI Application and Guidelines for Creating the eUCI on the TARGET Center website are also good resources.
TA Resources Contract Cicatelli/Mission/Abt Data.TA@cicatelli.org TARGET Center website http://www.careacttarget.org/rsr.asp Ryan White HIV/AIDS Program Data Support 888.640.9356: M-F 9 am to 5:30 pm ET ryanwhitedatasupport.wrma@csrincorporated.com HRSA Call Center 877.Go4.HRSA (877.464.4772): M-F 9 am to 5:30 pm ET CallCenter@HRSA.gov Finally, here is how you can get a hold of TA team members and resources. If you don’t know who to contact, contact any of us and we can get you where you need to go. Thank you for joining us today!