We have received inquiries related to HIPAA (Health Insurance Privacy and Accessibility Act) compliance when using BrainMaster equipment, software, or services. There have been concerns that if a client’s name is revealed in connection with EEG or related data, that a HIPPA violation may occur. This note will clarify and address these concerns.
HIPAA pertains to PHI (Protected Health Information), which includes: “Past, present or future physical or mental health condition of an individual,” “The provision of health care to an individual,” and “The past, present, or future payment for the provision of health care to an individual.” This information is exemplified by clinical records and financial records that explicitly contain a diagnosis, treatment plan, or payment information.
It is first noted that, when used as intended, none of the BrainMaster related products or services contain PHI information. EEG, QEEG, and related data are not considered diagnostic, and data and reports do not typically contain information related to diagnosis. They provide functional electrical data and analysis thereof, and any diagnosis that follows is entirely the responsibility of the practitioner.
The recognized uses for BrainMaster equipment are “relaxation and re-education,” and “spectral analysis of the EEG,” not the diagnosis or treatment of any particular disorder. Also, when using FDA-registered databases such as those from Applied Neuroscience, Inc., BrainDX, or the Human Brain Institute, they also do not provide diagnostic information, but rather statistical data that is to be interpreted by the practitioner. Neither EEG nor QEEG are considered “diagnostic” in a strict sense, including when used with z-scores or discriminant functions. The only exception is the recently FDA-approved NEBA device that provides a diagnosis of ADD/ADHD based on an EEG parameter, and this uses a proprietary algorithm and database.
These facts notwithstanding, BrainMaster recommends that software and services be used with a codified identifier that is not directly related to the ability to identify the client. This will prevent any inadvertent disclosure of EEG, QEEG, or related data that could be associated with a client. It is intended that the user will enter an ID of an appropriate type, that does not disclose the client’s identity. A file or key that associates each client with a unique ID should be maintained separately, in the client’s file, or in any suitable location.
Given these two considerations, (1) BrainMaster systems and services do not contain HIPAA sensitive information, when used as intended, and (2) users should use a codified identifier for clients, then the user of BrainMaster products and services will comply with all HIPAA related requirements.
The following figure shows the folder selection control panel in the BrainMaster 4.0 software. Note that no patient-related identification information is used or shown anywhere in this example.
If client identification information is codified in this manner, then there is no further possibility of having client information disclosed in a manner that violates HIPAA requirements.
The following example shows how it is recommended to use an online report service, by using a codified client ID:
When used as intended, BrainMaster systems do not contain information that is considered PHI (Protected Health Information).
BrainMaster recommends nonetheless using a codified patient ID, so that no patient identification information is contained in the EEG system or records in any form.