We're a group within a civilian government health care agency that tracks health care investigations done by doctors across the U.S. We provide budget and lab space so doctors can get published in order to attract good doctors to our agency. The information we gather does not include patient's names or social security numbers. We only track what the doctors are doing with the budget money given them. How would we be affected by the latest changes to HIPAA? We feel at this point that HIPAA does not apply to us for the above reasons.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
This can be a complicated issue, so I understand your concerns. It sounds like your organization could fall in the categories of a health care provider or business associate, but you may not be considered a HIPAA covered entity at all. You say that you do not gather patient names or social security numbers. Do you gather any other information from the patients? HIPAA specifies that any information that identifies or can be reasonably used to identify an individual such as name, address, social security number, phone and fax numbers, medical record numbers, e-mail addresses, URLs, IP addresses, etc. is covered under the rules. In a nutshell, if you gather this type of information and store it or transmit it electronically, then your organization is most likely considered a HIPAA covered entity. Otherwise, you should be in the clear.
For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: HIPAA
is a strategic enabler
News & Analysis: Final HIPAA
privacy changes announced
Best Web Links: Health
care/health services
This was first published in September 2002