The Health Insurance Portability and Accountability Act (HIPAA–referred to here to include its addendums, additions and modifications) limits access, use, and disclosure of sensitive Personal Health Information (PHI). The two key questions to determine whether HIPAA might apply to your organization are: (1) Is your organization a Covered Entity; or, (2) Does your organization deal in PHI? This article will address how to approach these questions.
1. Is your organization a Covered Entity?
HIPAA applies to Covered Entities, an important term which includes health plans, health care clearinghouses, and certain health care providers, such as those that transmit health information electronically in connection with certain financial and administrative transactions (for example, most hospitals). In contrast, HIPAA does not apply to many research organizations that handle PHI. Allow me to clarify which researchers may be subject to HIPAA.
Researchers are not Covered Entities unless they are also health care providers and engage in covered electronic transactions. Covered electronic transactions are those which involve the transmission of information between two parties to carry out financial or administrative activities related to health care, and contain the data points outlined in Section 2 below. HIPAA does not directly regulate researchers who are engaged in research within organizations that are not Covered Entities even if they gather, generate, access, and share PHI. For instance, a company that sponsors its own health research, or creates or maintains health information databases, is not a Covered Entity. An example of this would be a company like Fitbit, which creates wearable sensors.
Nonetheless, there are two key categories of researchers who are subject to HIPAA: (1) Covered Entity employees; and (2) researchers who use Covered Entity supplied data. In the first instance, the rule is simple: researchers who are employees of a Covered Entity are subject to HIPAA regulations.
The second instance may be more difficult to spot in big data sets. The rule is that if a Covered Entity supplies a researcher with PHI data, the data is subject to HIPAA. Furthermore, take note that research repositories and associated data are regulated under HHS and the Food and Drug Administration’s (FDA) Protection of Human Subjects Regulations. Researchers in medical and health-related disciplines frequently rely on access to many sources of PHI, such as medical records, epidemiological databases, disease registries, hospital discharge records, and government compilations of vital and health statistics. Clinical researchers often access medical information from patient charts and tissue and data repositories and create PHI in connection with an experimental intervention. Because this data may come from a Covered Entity, it may be subject to HIPAA. In conclusion, check to see if any of your data came from a Covered Entity.
2. Does your organization store or use PHI?
There are 18 key PHI data points. Covered Entities are granted “safe-harbor” if all these 18 identifiers are removed, and the Covered Entity does not have actual knowledge of a way to use the remaining information alone, or in combination with other information, to identify the subject. The key 18 PHI data points are as follows:
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
a. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
b. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
4. Telephone numbers.
5. Facsimile numbers.
6. Electronic mail addresses.
7. Social security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers. 14. Web universal resource locators (URLs).
15. Internet protocol (IP) address numbers.
16. Biometric identifiers, including fingerprints and voiceprints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.
Please contact me if you have any questions and stand by for part two on HIPAA compliance.
Disclaimer: This blog is not intended to provide legal advice or my legal opinion. Any legal references or citations mentioned in these articles may be out-of-date. It is your responsibility to speak with an attorney before relying on any information included in these articles. Should you need a legal opinion on any topic discussed in this blog, please do not hesitate to contact me.