When it comes to businesses in the healthcare sector, the question often is: “Do I need to be HIPAA Compliant or Not?” The short answer is that if your application or business handles PHI (protected health information) electronically, the answer is most-likely yes. Those that use an EMR (electronic medical record) system, and those who interact with any type of PHI are subject to the HIPAA Privacy Rule. However, there are some situations in which data that would fall under the category of PHI (and thus be covered by HIPAA) can be disclosed or shared without explicit permission. Specifically, data that is “de-identified” is classified as non-PHI and is subsequently not as stringently-protected as data that includes personally-identifying private information (such as addresses, diagnoses, and social security numbers).
Typically, PHI is disclosed for research purposes. There are specific provisions of HIPAA that account for such a release. The Privacy Rule was initially devised to specifically protect individually identifiable health information, but recognizes the utility of having a bulk of health information (even if it is anonymized). In accordance with this idea, §164.502(d) of the Privacy Rule permits a HIPAA covered entity to remove identifying data from the information, in §164.514(a)-(b) the standards to which this data need be anonymized are laid out. In essence, the data must be redacted in such a way as to prevent identification of the subject of the data. Once this is done, it is no longer PHI and thus no longer subject to HIPAA regulations for storage or transmission. This information can be disclosed without authorization.
The Privacy Rule also accounts for the fact that researchers may need to generate or interact with PHI through the course of research. This type of interaction is regulated by HIPAA as well. The Privacy Rule gives the subjects of the PHI an opportunity to authorize or deny disclosure of their PHI and to specify to what extent it is utilized. This type of disclosure requires a statement of that individual’s right to revoke his or her authorization, how to do so, and the exceptions to this right (if applicable). In addition, it must be made clear whether treatment, payment, eligibility of benefits, or enrollment can be affected by such authorization. Finally, research-related disclosures also require that the subject is made specifically aware of the possibility that PHI will be revealed, despite efforts at de-identification and anonymization. This authorization must be written, and written in a language that is plain-and-clean to understand while including the core elements listed previously. A copy of the signed authorization must also be provided to the subject.
Furthermore, in the event that written authorization is impractical to acquire due to the size of the research group, the Privacy Rule also offers additional exceptions for use of data through authorization waivers by an IRB (Institutional Review Board) or for those using a “limited data set.” However, for the most part, HIPAA Compliance is recommended if the possibility exists of having PHI on one’s servers or networks. When it comes to HIPAA Compliance, it’s better safe than sorry!