Protected Health Information (PHI) is health information about a patient that also contains identifiers like full names, phone numbers, email addresses, SSN, identification numbers, and many other data points that enable you to positively identify that individual. For this type of data, HIPAA provides a series of rules for maintaining the privacy and security of the data that Business Entities need to follow.
But what about other personal information that you collect about individuals in the course of running your practice? We are talking about the same type of information – names, phone numbers, email addresses, SSN, identification numbers. But the difference here is that these identifiers are not part of the patient’s PHI record set and do not contain any information relating to “an individual’s past, present, or future physical or mental health”. This data is generically referred to as Personally Identifiable Information (PII). It does not fall under the purview of HIPAA, but it also needs to be protected.
Protecting this information is the right thing to do and strong data privacy practices have been shown to build trust and loyalty with consumers. But beyond that, consumer data privacy regulations also exist in a handful of states including California, Colorado, Utah, Virginia, and Connecticut, and it isn’t stopping there. The data privacy landscape in the US and across the globe is changing at breakneck speeds. In fact, over the next two years, another seven states will have comprehensive data privacy regulations take effect – Oregon, Texas, Montana, Delaware, Iowa, Tennessee, and Indiana. These laws all provide rules to follow and spell out the rights granted to individuals around this type of data.
Although mostly the same, these regulations vary slightly from state to state. All of the current state data privacy laws have special “carve outs” for businesses that are subject to HIPAA. However, most of these laws exempt only the PHI that a business holds, and not the business as a whole. This means that consumer data privacy laws may need to be followed as well. The exception is the Virginia Consumer Data Privacy Act (CDPA), which appears to exempt the entire HIPAA Covered Entity.
Most comprehensive state privacy laws also have revenue and data collection thresholds that will determine whether your business is subject to these regulations. They are pretty high bars to clear, but some larger multi-location practices or groups could be caught up. And again, it is not a bad thing for your business to follow these regulations even if they don’t technically apply to you.
There are also other privacy laws in various states that could affect your practice. For instance, the California Online Privacy Protection Act (CalOPPA) applies if you operate a commercial website or online service that collects or maintains PII from a California resident. Your business doesn’t even have to be physically located in California for this to apply. Plus, there are no revenue or data collection thresholds to meet, and there are no HIPAA "carve outs".
Over the past few years, we’ve seen more and more HIPAA Covered Entities choosing to focus on protecting PII in addition to PHI. There are many hospitals, for instance, that have both a Website Privacy Notice to cover PII as well as the Notice of Privacy Practices (NPP) required by HIPAA. This is a trend that we expect will continue to expand to healthcare practices of all sizes. It is inexpensive to do, builds trust, and can give you a competitive advantage over other practices in your market.
留言