A health data privacy expert explains how HIPAA functions with new sources of technology collecting more data.
The Health Insurance Portability and Accountability Act (HIPAA) was established before the turn of the millennium to provide data privacy and security provisions to safeguard medical information. While HIPAA first came to be in 1996, the law has become much more prominent over the last few years due to the rise of digitization in healthcare.
HIPAA was created before the industry could comprehend the novel technologies and streams of data that those tools would give access to.
With a plethora of ways for patients to generate data, including smartwatches and activity trackers, the role of HIPAA has become even more important and talked about in the industry.
“The framework addresses a limited set of data being touched by a limited set of actors,” said David Harlow, J.D., MPH, a healthcare attorney and blogger for HealthBlawg, during the Inside Digital Health™ webinar “Beyond Compliance: How to Secure Patient Data & Achieve ROI” on Thursday afternoon.
HIPAA relates to personal health information touched by covered entities and is constructed through standards, some of which are “mandatory,” some “addressable,” he said.
“It’s not a one size fits all set of regulations, it can be very flexible,” Harlow said.
An academic medical center or a national health plan have a certain level of approach to data privacy and security, while an early stage startup may not need to have the same full-on approach from the start. The startup could then adjust its approach as it gathers more data and partners with other organizations.
Although HIPAA exists, there are also state privacy laws across the U.S. that differ. There are also statutes and case law and different privacy approaches from state to state.
“Those privacy approaches deal not only with the protected health information that is covered by HIPAA, it also covers all sorts of other kinds of information that might be collected by our phones, our activity trackers and other devices we have with us,” Harlow said.
Until those are incorporated into a record held by a covered entity regulated by HIPAA, they are not regulated by the act, he added.
California, for instance, has its own legislation called the California Consumer Privacy Act.
This law has little effect on the use of health data by covered entities under HIPAA.
“The California law basically says, ‘If you’re covered by HIPAA, you’re covered by HIPAA, the end,” Harlow said. “If you’re covered by HIPAA in one situation but you’re dealing with other kinds of data for other kinds of relationships, then you are covered by the California Consumer Privacy Act.”
For example, a provider has a lot of information about its patients, all of which is covered by HIPAA. The provider also has a lot of information about its employees, not covered by HIPAA, but covered by the California Consumer Privacy Act and other state — and potentially federal — laws, he said.
If a developer of an activity tracker sells it to someone living in California, the data generated that end up in the buyer’s server is going to be governed by the California Consumer Privacy Act, Harlow added.
“In many respects, that act is a mini GDPR, meaning that it follows some of the European approaches to a broad stroke privacy structure,” he said.
Health systems need to keep an eye on what’s going on in their individual states with privacy laws, the webinar concluded.
Get the best insights in digital health directly to your inbox.