Who you are makes a big difference in how and whether you must protect individually identifiable health information under HIPAA. As we near the end of 2013, I look back at the events of the past year and am struck by the breadth and complexity of the issues we have written about on this blog site and the realization that we have addressed only a miniscule fraction of the health care privacy and security issues of the past year. I see a recurring theme, though: a persistent refusal or reluctance to grapple with one’s identity and related responsibilities under HIPAA. It is almost as though we think there’s no HIPAA problem that a slapped-on Business Associate Agreement (BAA) bandage can’t cover. In reality, though, the sloppy BAA (or Notice of Privacy Practices (NPP), described below) may just confuse matters.
A few explanations come to mind when I think about the reasons for this HIPAA identity crisis. Our world has become data-driven, security-scarred, and privacy-perplexed. The need to access and share private information electronically has become a given, just as examples of breaches in the security of this information explode in the headlines almost daily. In addition, we don’t seem to have widespread public agreement as to what “privacy” means when it comes to the personal information we create, receive, maintain, or transmit electronically.
No wonder so many in the health care industry (including large, sophisticated health care providers and payers, the technology vendors serving them, and, as Bill Maruca discussed in his recent blog, even the government office in charge of enforcing HIPAA) cannot seem to get it right when it comes to understanding their roles under HIPAA. Christopher Rasmussen of the Center for Democracy & Technology wrote about “Covered California’s Misguided Privacy Policy” in an article published on December 17, 2013. Covered California, the state’s Affordable Care Act insurance marketplace, shared personal information from applicants who had not completed the application with insurance agents and brokers so that the agents and brokers could contact the applicants and invite them to complete the applications. Apparently, nothing on the Covered California website told applicants that their information would be shared in this manner, and as Mr. Rasmussen correctly points out, the Covered California’s published NPP confuses matters by making it appear that Covered California is a covered entity under HIPAA. The first line of the NPP reads: “This notice describes how medical information about you may be used”. Perhaps none of the applicants included medical information on their incomplete applications, but if they did, it seems unlikely they would want their medical information to be used in an unexpected sales pitch from an insurance broker.
The bottom line? If you use or disclose health information, pay careful attention to whether you are covered by HIPAA and understand your identity as a covered entity, business associate, subcontractor, or some combination of these roles. If you aren’t covered by HIPAA, don’t confuse everyone by sounding as though you are. In either case, resolve to spend time in 2014 understanding your privacy and security responsibilities before using or disclosing individually identifiable information.