Who you are makes a big difference in how and whether you must protect individually identifiable health information under HIPAA. As we near the end of 2013, I look back at the events of the past year and am struck by the breadth and complexity of the issues we have written about on this blog site and the realization that we have addressed only a miniscule fraction of the health care privacy and security issues of the past year. I see a recurring theme, though: a persistent refusal or reluctance to grapple with one’s identity and related responsibilities under HIPAA. It is almost as though we think there’s no HIPAA problem that a slapped-on Business Associate Agreement (BAA) bandage can’t cover. In reality, though, the sloppy BAA (or Notice of Privacy Practices (NPP), described below) may just confuse matters.
A few explanations come to mind when I think about the reasons for this HIPAA identity crisis. Our world has become data-driven, security-scarred, and privacy-perplexed. The need to access and share private information electronically has become a given, just as examples of breaches in the security of this information explode in the headlines almost daily. In addition, we don’t seem to have widespread public agreement as to what “privacy” means when it comes to the personal information we create, receive, maintain, or transmit electronically.
The bottom line? If you use or disclose health information, pay careful attention to whether you are covered by HIPAA and understand your identity as a covered entity, business associate, subcontractor, or some combination of these roles. If you aren’t covered by HIPAA, don’t confuse everyone by sounding as though you are. In either case, resolve to spend time in 2014 understanding your privacy and security responsibilities before using or disclosing individually identifiable information.