William A. Hyman
Professor Emeritus, Biomedical Engineering
Texas A&M University, w-hyman@tamu.edu
Read other articles by this author
Discussions of HIPAA and HIPAA violations are common in these pages, and are of course important for those subject to the requirements and wrath of HIPAA. I have also heard that “What about HIPAA?” is a question that can kill an app developer’s bid for funding. In this context it is perhaps refreshing to read what ONC has to say about what types of health data, and those who collect it, are not subject to HIPAA.
The key is that HIPAA only applies to specific, if numerous, covered entities which are health plans, health care clearinghouses, health care providers conducting certain electronic transactions, and their “business associates.” In today’s share and collect environment there are many others and things which have individual health related data, but if they aren’t one of the above they aren’t covered by HIPAA. This includes data from medical (FDA regulated) and personal health (not FDA regulated) devices. In some cases it is not the device that defines the HIPAA issue but who provided it or directed its use. In particular, if a covered entity is involved the data may be covered, but if it is just the user and the vendor then it isn’t. Similarly, if a covered entity operates or provides a web site for recording health information that information is subject to HIPAA. If an independent third party does the same thing HIPAA does not apply.
Some medical information may be voluntarily provided by patients while others are collected without our overt knowledge, even though we clicked Agree to the long disclosure we didn’t actually read. In addition, later changes in such agreements may not be clearly communicated. Non-HIPAA data collectors may have varying practices and varying disclosures about sharing data with other parties. Collected information might also be obtained by hacking its custodians. Here HIPAA covered entities are required to provide certain security measures such as encryption and auditing while not covered entities are not. In more indirect cases health information can be obtained or inferred from social media including health related discussion groups. It has also been recently shown that health status and even diagnoses can be inferred from web searches. In addition, bits of data from various sources can be combined in a Sherlock Homesian logic trail that can lead to conclusions (right or wrong) that none of the date bases individually contain. My own mini defiance of search profiling is to once a day search for something I have no interest in, although I suppose even deciding what it is that I am not interested itself tells a tale.
The FTC also plays a consumer protection role here with regards to proper disclosures of practices, general fairness principles and appropriate responses to data breaches. A curious FTC covered breach in the ONC report concerns a medical transcription service that had patient notes on an unsecured server which was findable by a standard internet search. FTCs requirements also apply to covered entities who therefore have the pleasure of falling under both HIPAA and FTC.
One of the consequences of the pervasive availability of data is that it can be used in ways you didn’t anticipate, by vendors you knew you had some kind of relationship with, and other vendors and thieves you didn’t mean to have a relationship with. This may be subject to a mix of laws and regulations which casts a loosely woven net of protections. HIPAA is only one part of this net, and it only covers some players. But enough of this, it is time for me to post my latest lab results to my Facebook page.