We're a group within a civilian government health care agency that tracks health care investigations done by doctors across the U.S. We provide budget and lab space so doctors can get published in order to attract good doctors to our agency. The information we gather does not include patient's names or social security numbers. We only track what the doctors are doing with the budget money given them. How would we be affected by the latest changes to HIPAA? We feel at this point that HIPAA does not apply to us for the above reasons.
This can be a complicated issue, so I understand your concerns. It sounds like your organization could fall in the categories of a health care provider or business associate, but you may not be considered a HIPAA covered entity at all. You say that you do not gather patient names or social security numbers. Do you gather any other information from the patients? HIPAA specifies that any information that identifies or can be reasonably used to identify an individual such as name, address, social security number, phone and fax numbers, medical record numbers, e-mail addresses, URLs, IP addresses, etc. is covered under the rules. In a nutshell, if you gather this type of information and store it or transmit it electronically, then your organization is most likely considered a HIPAA covered entity. Otherwise, you should be in the clear.
For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: HIPAA is a strategic enabler
News & Analysis: Final HIPAA privacy changes announced
Best Web Links: Health care/health services
This was first published in September 2002