1. Is my practice data secure?
Your data is completely secure. The Vestrum Health IT team has broad experience and industry-standard security procedures are utilized to maintain data security. In addition, no protected health information (PHI) is stored on Vestrum servers.
2. To whom does Vestrum intend to sell the data?
Vestrum Health’s primary customers are physician practices, the pharmaceutical industry and medical device manufacturers. Vestrum will not release data to payers or government entities.
3. How are physicians de-identified?
All data released outside of Vestrum Health is in the form of statistical analysis and does not include physician or practice names. Analysis may include breakdowns by demographic categories, geographic areas, practice size but in all cases, there is no disaggregation that would disclose the identity of a physician or practice. For example, practice size information is provided as a range and geographic information is limited to a three-digit ZIP code. Additional blurring of practice demographics is performed in markets with relatively few retina practices to further assure physician and practice de-identification. Data provided for clinical research does not include any physician identifiers or demographics.
4. How are patients de-identified?
Patient identifiers are removed and replaced with an alphanumeric identifier using an industry-standard one-way hash algorithm. No one can reverse the algorithm to generate patient identifiers. As in the case of physician/practice information, only statistical reports are released and there are always a substantial number of patients in any report to ensure that there is no risk in identifying patients. Vestrum Health does not release any data that permits any possibility that a patient can be identified.
5. Do I have to change my practice privacy policy?
No. The data that is used for commercialization, analytics, and research does not contain any PHI and therefore the practice privacy policy does not need to be revised.
6. Must all physicians in the practice participate?
No. Vestrum Health encourages full and unrestricted participation to maximize the value of the dataset, but each individual physician in a practice can choose to participate or not. Obviously non-participating physicians will not be provided with reports or be able to participate in revenue generating opportunities.
7. Can our practice participate in other data initiatives if we participate in Vestrum?
Your relationship to Vestrum is not exclusive. You may participate in the AAO’s IRIS registry or other commercial data initiatives.
8. Can I terminate participation?
Yes. Physicians may terminate their participation at any time by giving 30 days notice.
9. Does it cost anything to participate?
No. There are no activation, interface, or maintenance fees.
10. What agreements do I need to sign?
There are 3 agreements:

  1. A purchased agreement that governs the exchange of your practice’s data in exchange for reports.
  2. A business associate agreement (BAA) that ensures Vestrum will ensure that the release of its data is secure.
  3. A consent agreement for cloud-based EHRs that provides consent for the EHR supplier to release its data to Vestrum.
11. Why do I need to sign a BAA for the data provided to Vestrum, if the data is de-identified?
There can be occasions where certain data fields provided to Vestrum contain names. The purpose of this agreement is to ensure that in the event that this occurs, both the practice and Vestrum arrangements are covered by the HIPAA regulations and such information will be treated securely. Further note that raw data is not divulged to any party. Vestrum Health has systems to extract relevant data from text fields so no personal information is stored in our operating databases.
12. Which EHRS do you interface with?
Vestrum interfaces with both cloud-based and on-premise systems. Please contact Vestrum for further details.
13. Do I need to involve my technology people in developing the interface?

If data is received directly from the EHR (authorized by the practice) this requires no involvement of the practice at all. If a direct feed is required from the practice and not through an EHR provider, a limited one time set up, with occasional interactions, may be required.

14. Will the data extract disrupt my business operations?
The data extract is performed outside of business hours or in a way that has no interface or interaction with your operations. In most cases, the extract will be from the history or back-up files.