11

If I was a marketing firm who provides an analysis on visitor statistics from anonymous members who then ties that in to a CRM to track conversions, what do I have to do to the data to ensure that those customers information is handled properly according to HIPAA if the CRM database is on my portal separate from their website?

The application tracks visitors with tracking cookies. The application also uses tracking phone numbers to associate calls in to the businesses with the online visitors to determine offline conversions. Phone calls routed through the PBX create a new contact in the CRM and attach a recording of a call as well as a generated text transmission. These calls become associated with the anonymous visitor with the tracking cookie to determine the conversion source.

All of this information is gathered, sorted, and stored on our API server and the information can be pulled and viewed by our client purchasing these services through their account dashboard. I have just recently been introduced to HIPAA and I'm not familiar with what needs to be protected, and what doesn't have to be. I have been told that the fact that the customers of healthcare providers are contacting a healthcare provider needs to be protected.

I was curious as to whether or not the data needs to be obfuscated for our interaction with their account on their behalf among other things.

Steve Buzonas
  • 213
  • 1
  • 5
  • @Steve Buzonas... I cannot get a clear picture of what you are trying to do. Could you elaborate? Tell us how Private Health information is involved? Is it part of the CRM DB or is it a part of the visitor statistics gathered? –  Dec 28 '11 at 20:29
  • @JohnHartsock We aren't collecting the health information, we are just collecting the data from the customers we generate for them to be automatically populated in the CRM that we provide. –  Dec 28 '11 at 20:57
  • @Steve Buzonas... Then what would this have to do with HIPAA (Health Insurance Portability and Accountability Act)? –  Dec 28 '11 at 20:59
  • @JohnHartsock Part 1 is we gather demographics to target specific markets for campaigns. I believe all of the information we gather is "fair game" until we associate it with an individual. My understanding was that locations, phone numbers, etc were PHI and could not be used without implementing additional measures. Part 2 we take the information gathered and use it for statistics and reporting to the client, we also take this information and provide a gateway that our client can see all of their customers and all digital forms of communication: phone, email, website contact form, etc. –  Dec 28 '11 at 21:20
  • 1
    @SteveBuzonas You are taking HIPPA out of context. In general you should always protect personal information over the web. But this is not specific to HIPPA. –  Dec 28 '11 at 21:23

3 Answers3

11

You're walking into murky territory in that A/V content (such as a recorded or transcribed phone call) is wide open, so if I were in your shoes I'd apply stringent security/protocols to your CRM. If you record a phone call that starts with "Hi my name is [name] and I just contracted [disease] and will be undergoing [procedure]"...you've just captured and housed a LOT of PHI. Perhaps an end-run here (if applicable) would be to disclaim prior to capturing the phone call: "please do not talk about personal or confidential health matters" (kinda like the placards you might see in hospital elevators).

Your affiliation with customers who are HIPAA covered entities (if you end up transacting with PHI/PII) will make you a "business associate" (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). Read about the contractual needs there between you and the covered entities.

Lastly, do your homework to make sure the access/info you provide is TRULY anonymous if it need be so. Phone numbers, IP Addresses, etc., are examples of PII (personally identifiable information) under HIPAA. NIST Guidance on PII: http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf (e.g. search for 'phone number'). Remember, though, if you are a business associate of a covered entity, you're allowed to exchange and/or use PHI under pre-defined rationale.

I don't think this is a complete answer, but here's some thoughts & links based on what you've described/asked that I believe should help.

9

HIPAA only applies to health information, primarily as it applies to the interactions between health care providers and health insurance agencies.

Unless I'm misunderstanding something, it doesn't sound like you're doing anything with health information, nor does it sound like your agency is a "covered entity" under HIPAA. You can take the "Am I a covered entity" quiz on the HIPAA website to learn more about it, but it doesn't sound like HIPAA applies to what you're doing.

(That doesn't mean you shouldn't protect the data anyway, just on general principle though :))

  • 1
    Well put. If the marketing firm's client was a covered entity, linking the PII to health data would raise flags for the client. Imagine if the call to action was "click here for help with your diabetes / cancer / insert-health-term-here." –  Dec 29 '11 at 18:47
  • We are not a covered entity. We have a client that is. Would our client still be HIPAA compliant if we were to share contact information between us and them about the patients? –  Dec 30 '11 at 09:08
  • If they are sharing protected health info with you, and you are not a covered entity yourself, there would need to be a Business Associate contract in place defining the parameters of the data exchange. So it would depend on the contract. See here for an [example](http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html). I don't see any reason why you couldn't share data with _them_ (one-way) but I am not a lawyer so I could not say for sure. –  Dec 30 '11 at 10:01
4

HIPAA does only apply to health insurance companies, providers, and such, but since you are a company providing resources to one of these covered entities, they may have a business requirement of compliance for their data. (and any log files or other items that would be related to their business).

With that said, it can be a sticky situation as far as liability, and you need not only programatic "compliance", but also your lawyers to look into what implications any breach or risks would have for everybody involved.