Gajus - Fotolia
Is there any merit to the claims that HIPAA doesn't cover all personal health information? If so, what kind of data is left unprotected? Should my firm be taking any steps to rectify this?
In terms of protecting personal health information (PHI), HIPAA does not cover it all. It is a common misconception that the law regulates any health data in the hands of any person. In reality, the law is tightly written to apply only to four different types of HIPAA-covered entities:
- Healthcare providers, such as doctors and hospitals
- Health plans, such as health insurance companies
- Health clearinghouses, such as medical billing services and information exchanges
- The business associates of any of the above HIPAA-covered entities
There are also exceptions to organizations in these categories. For example, to be considered a HIPAA-covered entity, a healthcare provider must engage in one or more electronic transactions from a list contained within the regulation, such as processing medical insurance claims. It is possible that small providers who have avoided electronic transactions may not be subject to the law.
While covered entities must comply with HIPAA's privacy and security regulations, there are many types of health information handled by organizations that fall outside the scope of the law. For example, consider the realm of consumer medical technology. With an electronic activity monitor -- such as a Jawbone Up or FitBit -- or an Internet-enabled scale or blood pressure monitor, it is likely those devices transmit health information to the cloud -- with no regulation. Similarly, an employer may handle health information from worker's compensation claims or FMLA records -- again, outside the scope of HIPAA.
So when it comes to protecting PHI more effectively, should a firm take steps to remediate this? The bottom line is that if a firm is not a covered entity or business associate, it doesn't need to be concerned about the HIPAA regulation. However, anyone handling sensitive personal health information should take steps to ensure it is protected. While it may not be a legal obligation, it's the right thing to do.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading