Gajus - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Protecting PHI: Does HIPAA compliance go far enough?

Fully protecting personal health information needs more than just HIPAA compliance. Expert Mike Chapple explains what kind of data is left unprotected under HIPAA.

Is there any merit to the claims that HIPAA doesn't cover all personal health information? If so, what kind of data is left unprotected? Should my firm be taking any steps to rectify this?

In terms of protecting personal health information (PHI), HIPAA does not cover it all. It is a common misconception that the law regulates any health data in the hands of any person. In reality, the law is tightly written to apply only to four different types of HIPAA-covered entities:

  • Healthcare providers, such as doctors and hospitals
  • Health plans, such as health insurance companies
  • Health clearinghouses, such as medical billing services and information exchanges
  • The business associates of any of the above HIPAA-covered entities

There are also exceptions to organizations in these categories. For example, to be considered a HIPAA-covered entity, a healthcare provider must engage in one or more electronic transactions from a list contained within the regulation, such as processing medical insurance claims. It is possible that small providers who have avoided electronic transactions may not be subject to the law.

While covered entities must comply with HIPAA's privacy and security regulations, there are many types of health information handled by organizations that fall outside the scope of the law. For example, consider the realm of consumer medical technology. With an electronic activity monitor -- such as a Jawbone Up or FitBit -- or an Internet-enabled scale or blood pressure monitor, it is likely those devices transmit health information to the cloud -- with no regulation. Similarly, an employer may handle health information from worker's compensation claims or FMLA records -- again, outside the scope of HIPAA.

So when it comes to protecting PHI more effectively, should a firm take steps to remediate this? The bottom line is that if a firm is not a covered entity or business associate, it doesn't need to be concerned about the HIPAA regulation. However, anyone handling sensitive personal health information should take steps to ensure it is protected. While it may not be a legal obligation, it's the right thing to do.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

This was last published in December 2014

Dig Deeper on HIPAA