What Does HIPAA Cover?
With the increase of apps and services aimed at trying to nudge life closer back to “normal,” one of the most frequent questions we’ve received from organizations is: How do we comply with HIPAA?
My response is always: Why are you so sure you are covered by HIPAA?
The definition of personal health information (PHI) is so expansive that almost any data being processed could meet the definition (e.g. age, gender, temperature). However, the act of processing PHI does not necessarily mean your organization falls into the scope of HIPAA.
Rather than focus on the data you process, your organization should focus on the activities that you conduct with the data.
The main question to ask is: Do you provide or or conduct transactions for health care?
The definition is broad but not all encompassing:
health care means: care, services, or supplies related to the health of an individual. It includes, but is not limited to, the following: (1) Preventive, diagnostic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
If your answer to that question is no – then you are out of scope and likely in the clear. The detailed definition is why you often see lengthy disclaimers in many user agreements stating that a company is NOT providing any of the actions described.
There are additional requirements (e.g. transmitting transactions electronically) and activities (e.g. providing services for a covered entity), but focusing on the definition of “health care” is the optimal starting place to address HIPAA questions for any organization.
This blog post is meant as an informative, simple, high level overview regarding the scope of HIPAA, and your approach likely needs to be more complex. Bay Regulatory Strategy has helped our clients address potential HIPAA obligations and has several processes and templates to help you efficiently conduct your risk analysis and build your compliance program. For help with HIPAA or any other data privacy questions, please reach out to us at adam@bayregulatorystrategy.com.
Nothing in this article is meant to represent formal legal advice. Different requirements may exist for state, local, and international jurisdictions. Please reach out directly with any questions.