HIPAA compliance without PII

Question

I have a web site where people fill medical syndrome questioners. They can see how their condition changes during the time period.

I am not storing ANY PII information, just user name. I can store in encrypted (if I have to).

My question is – Do I have to be HIPAA compliant? Remember NO PII.

If I would store email address (encrypted) – will it change my regulatory situation?

Thanks

Aaron

Answer 1

Yes, you do have to be HIPAA compliant.

I'll keep the reasons as short and as logic as I can:

1. Protecting data by the use of cryptography is nothing else but a security layer you are using (which is good) but it does not void the need to be compliant to Health Information Privacy. In fact, this kind of protection is described in the "Security Rule" of HIPAA.
2. A "health profile" by itself can be personally identifying even without the storage of a name or email. One of many examples would be possible information about a person's DNA, or an uncommon disease, or a specific handicap, or even a non-typical illness. Even the blood-type is PII when you combine it with small pieces of other information from a health profile.
3. You talk about requesting a name or even an email. A real name or even an email address on it's own also qualifies as PII as it explicitly allows personally identification. Combine that with he "health profile" and you're in even bigger trouble if HIPAA compliance isn't 100%. An example of what happens when it's not: July 2011, UCLA agreed to pay $865,500 in a settlement regarding potential HIPAA violations. Think about it. Stuff like that happens. Got enough cash in your pockets for something like that? If, I bet you'ld rather spend it on something else. ;)
4. You describe the example of "web site where people fill medical syndrome questioners. They can see how their condition changes during the time period." Tracking these "medical conditions" is like tracking website visitors online: every additional piece of information builds a more complete "profile" up to the point where people can personally identify the people by looking at their condition changes and comparing that (for example) with a randomly selected group of people that could potentially match such profiles.

There are a few more points, which I'll skip to keep it short. But as you see, there's already ample reason to watch your steps if you think about collecting "health profiles" while thinking about ignoring HIPAA.

The combination of a health-profile with any other kind of personally identifying information (like a "real name" or "email" or even a simple "postal code") actually forces you to be HIPAA compliant.

Besides, it will make your customers/website-visitors/health-profile-providers feel a lot more comfortable and safe if they notice you take their privacy more than serious. I think that's a bonus you shouldn't ignore... including the fact that HIPAA compliance can legally protect you in a worst-case scenario.

To wrap it all up again:

1. Health Profiles are PII (Personally Identifying Information) since they are PHI (Personal Health Information). Guess why HIPAA was created in the first place!
2. Emails are PII.
3. Names can be PII when real names are used.
4. Encryption has nothing to do with the question "if" or "if not" you need to be HIPAA compliant, because "what has been encrypted can be decrypted". Let me be absolutely clear on this one: Encryption does not void the fact that you collect PII, it only protects the data you collect.

In fact, you should go check on HIPAA yourself to make sure you know what you're asking about here...

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

“Individually identifiable health information” is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information.14 De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.15

As you'll notice, my answer indicates nothing else than what the "U.S. Department of Health & Human Services" says... I just use more human wordings. ;)

Now, if you really want to avoid being compliant to HIPAA, all you have to do is to make sure your "health profiles" are 100% anonymous. No emails, no real names, no collection of any potentially personally identifying information or health information... the lot. And be sure you're not missing something!

The alternative to that is to make it easy on yourself and simply choose the HIPAA compliant way to work.

If you want to dive in a bit deeper, there's some additional info at https://www.cms.gov/hipaageninfo/ which might be interesting for you to check out. That is, besides that link I already noted above: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Answer 2

I think this question should also be asked at the HealthcareIT SE site.

I believe that HIPAA only becomes relevant when you have a relationship with the user as a healthcare entity. That is, you become a covered entity (CE). Based on your description, and the following explanation, I believe you do NOT need HIPAA-compliance.

The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is

a health care provider that conducts certain transactions in electronic form (called here a "covered health care provider").

a health care clearinghouse.

a health plan.

An entity that is one or more of these types of entities is referred to as a "covered entity in the Administrative Simplification regulations.

from the Center for Medicare and Medicaid website. Unless you are building a website to extend physician services in an mHealth context, or to provide value-added services for a health insurance, you would not be required to be HIPAA-compliant.

In fact, I remember a discussion with a Microsoft HealthVault staff who reports that their attorneys have determined they are in fact not a covered entity. But in order to pre-empty these questions and to demonstrate their seriousness, they moved to HIPAA-compliance.

The second question is, are you a business associate (BA). If you have a contractual relationship with a covered entity that required you to handle protected health information, then you would be required to have HIPAA-compliance. Under the new HITECH rules, requirements for business associates are substantially similar to that for covered entities.