Darshan: Today's recording is based on the idea that we should be discussing privacy more and we should be talking about what privacy means, and we should be talking about what the legal requirements are versus what is a good thing to do and what is smart to do.
Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast, with host, Darshan Kulkarni. You can find the show on Twitter, @DarshanTalks, or the shows website at darshantalks.com.
Darshan: When we think about it, again, we'll go back to our four major pillars of patient centricity. The four major pillars of patient centricity are transparency, number two is the congress of that, which is privacy. The third one is innovation, and the last one is access, i.e., patients want information. They want to make sure their information is private and controlled, and in a way that's not just being spread, that they have access to innovations and access to new and updated technologies. Finally, the most important part, which is being able to actually access those innovations in a transparent and private way. So, we're only talking about one aspect of it, which is the privacy aspect of it. When we start discussing that privacy aspect, the most common topic to come up is HIPA. It's important to recognize that when you're talking about HIPA, it's not just the only game in town. There are state laws that also have coverage for health information and privacy associated with that health information.
Darshan: It's also important to recognize that it's only relating to health, so there are non-HIPA laws that control the privacy associated with that information, the most famous of which right now is GDPR. There's also CCP and Like as well. The converse of that, which is just because something has health information, doesn't necessarily make it subject to HIPA, and that's actually really surprising to a lot of people. This was sort of interesting to me, because I started looking up some information around HIPA and I was surprised that IRB's and privacy boards can potentially waive the need for HIPA authorizations on cases. So, just because it is a health-based scenario and just because it may be even done in the context of a physician relationship, doesn't necessarily mean that HIPA is always applicable. A privacy board or an IRB may be be able to waive that requirement. The next thing to look at is the idea that the information is always unavailable. You have to recognize that if you're doing a study, the information should be the information that is being protected.
Darshan: If you're collecting that information, it has to be focused and it has to be responsive to the study itself. So, you can't just go willy-nilly collecting everything you wanted to collect, just because it would be interesting. So, let's take a step back and let's talk about why this came about. So, I had a discussion on Twitter a little bit ago around HIPA and how health tech companies manage HIPA versus what is actually required. I'm not going to name names or anything, quite honestly, because I don't even remember the names. It was just an interesting conversation and I thought that it's a valid conversation to have. So, HIPA, again, stands for the Health Insurance Portability and Accountability Act, off 1996. So, it's one of the first privacy laws that we think of and people therefor think that it's all encompassing, it's the broadest, it's the mother of all privacy laws. Just because it's the mother, doesn't mean it's the most encompassing. What HIPA was set up to do was provide the ability to transfer and continue health insurance coverage for millions of people.
Darshan: Surprisingly, it also was supposed to help control health fraud and help with managing industry wide standards of health information on electronic ability and other processes. So, the controls came around that. As it relates to privacy, there are other laws that do come into place as the common rule, the FDA itself has some controls around privacy associated with subject. They're limited, but they exist. Surprisingly, the OCR, with is the Office of Civil Rights, does have controls around it, HIPA being one of them. So, keep that in mind. The other piece around HIPA is the fact that it's not just one law, it's not just here's a list of things you need to do to comply with HIPA. They have the privacy rule and they have a security rule, and they're related, but they're not the same thing. So, people always go, "I have all these controls in place, therefor, I am HIPA compliant." No, that just means that you've potentially met a lot of the security requirements around HIPA, but are you taking all the right steps to maintain an individual's privacy? Those are the questions that started coming into place.
Darshan: So, what is HIPA? The general purpose of HIPA was the idea that if I go to a physician, go to a doctor, you want to have the information you share with your doctor to be private, and that makes sense. You don't want that doctor turning around and selling that information to the highest bidder in a way that compromises their identity. Now, here's an important question, important consideration. The idea that if you have information and that information does have HIPA components to it, or at least private components to it, the idea is that it will never get shared. No, you could theoretically be in a scenario where that information gets de-identified, and then it gets shared. That would actually be compliant with HIPA. There are also scenarios in which that information, even in an identified manner, can be shared, but then all the people associated with it would need to have appropriate controls in place. So, just recognize that just because something is subject to HIPA, doesn't mean that it can or cannot be shared.
Darshan: So, the next question is who is subject to HIPA? So, covered entities are subject to HIPA. So, what is a covered entity? Covered entities are health plans, healthcare providers, healthcare clearing houses, so your health insurance companies in the like. What is interesting to recognize in that is pharmaceutical companies are not a covered entity. Health tech companies are not a covered entity. So, if you are a pharmaceutical company or you are a health tech company, just because someone gives you data, doesn't necessarily mean that it's automatically covered under HIPA. The second piece of that is if you get the data from someone else, you may be subject to HIPA requirements because of your business associates agreement. So, that's your BAA that a lot of people signed. So, a lot of people assume that if you have health information, it is automatically protected health information, or PHI. Therefor, you require BAA.
Darshan: No, I could theoretically, and again, I'm not giving legal advice, create a website and say, "People, give me your health information." If they give me that health information on the website, if I'm not acting as a physician, that's not covered under HIPA. So, again, there are other laws that may take into place, things like GDPR, but as a general rule under HIPA, you aren't necessarily subject to HIPA. So, the most common misconceptions. This only applies to data directly or indirectly from covered entities. So, well, it's not a misconception. This only applies to data that came to you from a covered entity, so therefor, if the data did not come to you from a covered entity, like from a regular website, you would not be covered under HIPA. Just because it didn't come from a covered entity, doesn't mean your exempt.
Darshan: SO, it could've gone from a covered entity, like a doctor, to another person, to you, and you're probably in that chain, and therefor, will be covered under HIPA. Conversely, just because it's health information, doesn't mean it's not automatically protected, like that website example I just gave you. So, keep these scenarios in mind. If you need to, again, reach out to me, I'm happy to talk to you to explain what's on these situations you might be in, whether you need to be covered or don't. The next question to think about is, does that mean I'm safe? You've got CCP and GDPR, the Indian Privacy Act, that's being proposed, state laws, all of which could cover patient privacy.
Darshan: There are specific laws, for example, around disease states, like AIDS has state level laws that will say that you need to maintain certain privacy requirements that are different from the requirements for HIPA. So, keep that in mind. Can I be HIPA-certified? I see this a lot. I see people saying, "I'm dealing with this company and they're HIPA-certified." There's no such thing, you can't be HIPA-certified. I've worked with these organizations, they're reputable. What you get is basically a third-party vendor that says, "We will come examine your processes, we'll audit those processes, and we'll say that you meet these standards. So, this way, if you have 50 people who want to go look at your certification, they can just come to us, we'll share what our requirements are and we'll certify that you meet those requirements." That doesn't mean you're HIPA-certified, that just means that you meet the standards that this organization has, and those include HIPA.
Darshan: If OCR comes up, audits you, you can't go, "We have this documentation." That doesn't mean anything, it just means that you've tried to meet those standards. That might be helpful, but it's not the overarching argument. What about all these other certification agencies that I see? Does that mean I'm covered? Like we just expressed, it's part of the story, it's not the full story. There are more bits of information that they're trying to cover. If you're processing, for example, credit card information, there are other laws that come in. If you are just collecting information, willy-nilly, for a sales reason, there are other laws that come in, whether it's CCPR, GDPR, et cetera.
Darshan: So, stay tuned, listen in. If you have questions about HIPA, about high-tech, how it applies to you, feel free to reach out. Hopefully, I'll be able to provide some answers. Otherwise, I can find out those answers for you. Stay tuned.
Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast, with host, Darshan Kulkarni. You can find the show on Twitter, @DarshanTalks, or the show's website at darshantalks.com.