The HIPAA is a long and complex piece of legislation. All we can do is provide very high-level information. This checklist is meant to be a mere starting point to help you navigate HIPAA compliance. If you need to go any deeper, you must get a legal professional involved.
Also, keep in mind that HIPAA is not just about privacy. The law includes rules on security rules, portability rules, technical standards for electronic health records, and more. On its own, compliance with the Privacy Rule does not ensure compliance with the HIPAA as a whole. Don’t forget about all the rest!
- Does HIPAA apply to me?
- What information is covered by HIPAA?
- I am a covered entity; now what?
- I am a business associate/subcontractor; now what?
- Final Thoughts
Does HIPAA apply to me?
First of all, you need to figure out whether HIPAA covers your organization. This means that you need to figure out whether you are a covered entity, a business associate, or a subcontractor.
If you are none of those things, you don’t need to worry about HIPAA at all. But other rules on health data may still apply (for instance, the CCPA’s rules on sensitive data).
Is my organization or my customer a HIPAA-covered entity?
Covered entities (CEs) belong to three categories:
- healthcare providers. These are individuals, groups, or organizations providing medical services, care, equipment, or supplies as part of their usual business.
- health plans are individual, or group plans that provide or pay for medical care.
- healthcare clearinghouses are defined in a very complicated way, but in practical terms, they are usually intermediaries such as payment providers and added-value networks.
Please note that these legal definitions come with many exceptions. It’s impossible to sum them all up, so make sure to check § 160.103 in the consolidated text of the law.
Is my organization a business associate or subcontractor?
Business associates (BAs) also have obligations under the HIPAA and Privacy rules. A BA is someone who provides a covered entity with certain services and receives protected health information (PHI) from the covered entity.
Services provided by BAs include data analysis, processing, and administration. So the legal definition covers many intermediaries offering information society services such as web hosting and web analytics. The trickiest part in determining if you are a BA is assessing whether your customer is a HIPAA-covered entity (see the section above).
Please note that working for a covered entity and accessing PHI are cumulative requirements. If you do not receive PHI, then you are not a BA, regardless of who you work with. Likewise, if you process health information but are not CE and do not work with one, then you don’t need to worry about HIPAA (but other legislation, such as the CCPA, may apply to you).
The HIPAA also covers subcontractors who help BAs provide their service. You can think of a subcontractor as the business associate of a business associate.
What information is covered by HIPAA?
If you qualify as a certified entity/business associate/subcontractor, then you have certain obligations under HIPAA. But this does not mean that these obligations cover all the data you process! So the next step is figuring out what is PHI and what is not among the information you process.
Three cumulative criteria define protected health information:
- a. it is collected by a covered entity
- b. it relates to health
- c. it is personally identifiable
If any of these requirements are missing, then you are not processing PHI.
Let’s say a hospital offers medical professionals a seminar on a new and innovative treatment and advertises the seminar through its website. The website uses Google Analytics on the page for the seminar. Does this involve the disclosure of PHI?
Let’s break it down:
- a hospital is a healthcare provider,_ so requirement a is satisfied_
- Google Analytics collects data that qualifies as personally identifiable information under the HIPAA (cookie IDs and possibly IP, depending on settings and software version). Requirement c is satisfied
- the fact that someone wants to attend a seminar on the topic does not mean that they have the disease. In fact, the seminar is aimed at medical professionals who are likely to be professionally interested in the topic. Requirement b is NOT satisfied
In this case, no PHI is disclosed. But the answer could be different if the page provided information to the general public instead of promoting a seminar.
Bottom line is that figuring out what information is and is not PHI is not easy! All three requirements under HIPAA must be kept in mind.
But it is also very important! Attempting to be HIPAA compliant with regard to all the data you process will be incredibly burdensome for your organization. This is why it is crucial to determine what data falls under HIPAA and what does not.
Remember that if you are a BA, then all information you do not receive from a CE cannot, by definition, be PHI. On the other hand, just because you receive information from a CE does not, in and of itself, mean that it is PHI. Again, you need to examine each data category based on the HIPAA’s definition of PHI.
Regarding web analytics, the HHS’s website provides useful information about PHI disclosures. If you are still not 100% sure as to what PHI is and what is not, please seek legal advice- the answer is really important for compliance!
I am a covered entity; now what?
If you are a covered entity, then you need to comply with specific rules regarding the disclosure of PHI.
Some disclosures are always allowed because they are necessary to treat the patient or to ensure the functioning of the healthcare system as a whole. For instance, you can disclose a patient's electronic health record to their new hospital or forward the medical bills to their health insurance.
Any other disclosure requires written authorization from the patient. This is very important, as unauthorized disclosures are punishable under HIPAA!
The HIPAA includes detailed rules as to what constitutes written authorization. As a rule of thumb, the patient must be really free to decline the authorization. You are not allowed to deny healthcare services to a patient in order to extort authorization!
By the way, the HHS clarified that clicking “ok” on cookie banners and similar pop-ups does not count as giving written authorization. If you use an online service such as a web analytics service, you won’t be able to rely on pop-ups to collect consent.
Additionally, if you work with a BA, you need a business associate agreement (BAA). A BAA is a contract that tells a BA what it can and cannot do with PHI. A BAA contains standard clauses detailed by the US Department of Health and Human Services (you can learn more about these clauses here).
I am a business associate/subcontractor; now what?
If you are a BA or subcontractor, you must have a business associate agreement with your business associate/covered entity.
BAAs hold BAs and subcontractors to similar privacy and security standards as covered entities. So having a BAA in place is not just about signing some paperwork- you need to examine its content in detail and ensure you can comply with all its requirements. This includes responding to requests for information from patients and making certain documentation available.
If you sign a BAA, you are liable for any agreement violation. You should not offer to sign a BAA unless you are really sure that your organization can process information in compliance with HIPAA. This is why many services, including very large ones like Google Analytics, are unavailable to sign a BAA! If you are in doubt, you should consult a legal professional in order to avoid any liability under HIPAA.
Different HIPAA compliance certifications are available for service providers, and they can be an asset when negotiating contracts with covered entities. But be aware that no certification is legally recognized. A certification’s usefulness depends entirely on its recognition in the industry. You should do some research and consult a legal professional before spending money on certification.
Finally, it is worth noting that BAs and subcontractors usually have no direct relationship with patients. This means that you will not be able to rely on patient authorizations for disclosures.
Compliance always starts by asking the right questions, and compliance with HIPAA’s Privacy Rule is no different. Here are some useful steps you can go through:
- assess whether you are a covered entity, a business associate, a subcontractor, or none of the above
- figure out what data fall under HIPAA and what does not
- make sure that you comply with the Privacy Rule and the rules on disclosure limitation
- assess whether all the business associate agreements you need are in place (and make sure you can comply with them)
- (optional) Consider HIPAA certification from a reputable body
- don’t forget about all the other rules of HIPAA!
- don’t forget about other laws on health data! (CCPA, My Health My Data, etc.)
Again, HIPAA is a long and complex piece of legislation. This blog only contains very high-level information and is no substitute for the opinion of a qualified professional.
At the end of the day, compliance is not simple. So it’s worth asking yourself: do I really need to disclose this data? Maybe there are fully anonymized and privacy-friendly alternatives that can spare you a lot of compliance headaches.
Simple Analytics can be such a solution for your web analytics. We do not track visitors or collect any sensitive data. We only use IP addresses for communication; even this minimal disclosure can be avoided by proxying the address.
Simple Analytics can be easily implemented HIPAA-compliantly and requires no BAA. If this sounds good to you, feel free to give us a try!