Approaching HIPAA Compliance Like a Golf Game

November 20, 2014

In order to prevail in golf, you need to know the nuances of the game. Likewise, physicians should know how to navigate HIPAA.

Anyone who has picked up a golf club can appreciate how challenging the game is. As a friend of mine, who happens to work for The Golf Channel reminded me, in order to prevail in golf you need to have a strategy; yet, be flexible enough to adapt to the conditions. One "condition" that has been emphasized in HIPAA compliance by the HHS is that the new round of audits will extend to business associates (BAs) as well as covered entities. Most practices anticipate HHS to come in; however, the FTC is also tasked with HIPAA violations.

A fundamental premise of HIPAA is the protection of sensitive health and billing information. The FTC is seeking assurances from Apple that "it will protect sensitive health data collected by its upcoming smart-watch and other mobile devices from being used without owners' consent." The emphasis here is gaining assurances from Apple that it will not sell the protected health information, which can include metadata, to third parties. These entities could include marketers or developers.

This should signal physicians to assess what their game strategy is in relation to their notice of privacy practices. The Final Rule modified PHI disclosure requirements. Section 164.520(b)(1)(ii)(E) to expand the requirements, including the need to obtain authorization in The Notice of Privacy Practices (NPP) when PHI will be released for marketing and subsidized treatment purposes. But, does even executing an expanded NPP give protection to a business associate such as Apple? Since the sale of PHI and other disclosures not included in the NPP need to be authorized in writing by the patient, it is highly unlikely.

A good place for physicians to start is to execute a Business Associate Agreement (BAA) with companies such as Apple. Clearly, an "app" and the companies that provide them do not qualify under the conduit exception. This means that HIPAA, the HITECH Act, and all subsequent regulations apply to them. Physicians should take the time to update their BAA to conform to the related sections of the Code of Federal Regulations (CFR), such as section 164.508(b)(5), which enables a patient to revoke a previous authorization.

In sum, physicians need to have a strategy. I recommend looking at HIPAA like a golfer would a hole on a golf course. Where are the hazards, what club do I need to use, what do I need to adapt to land the ball on the green, and what gear to I need to wear? For this area of HIPAA compliance, a hazard is an unauthorized disclosure and sales of information, the two key clubs are a specific BAA and revised NPP, and knowing with full disclosure that the weather could change by the patient revoking the disclosure. Keep a watch on what is going on nationally - the FTC and HHS websites are good places to start.