00:05
Adam Stofsky
Hey, this is Adam Stofsky from briefly. I'm here with Tora Johnson, who is a health data guru. Tora, can you kind of tell us a bit about kind of who you are and what you do?
00:17
Thora Johnson
Hey, Adam, really nice to be here with you today. I am a partner in Orec's cyber privacy and data innovation group, and I focus exclusively on health data and in particular, health data privacy and security.
00:31
Adam Stofsky
So I'm going to ask you what I think is a pretty basic question. So I know because I've been to the doctor, that I have to sign these HIPAA notifications. So HIPAA is basically our federal health data privacy law. But can you kind of just give us the basics? What is this law? What does it do? Who needs to think about it? And, like, why is the acronym spelled in a really funny way?
00:56
Thora Johnson
No, no, the acronym is spelled correctly. But you're right, it is the only federal law that we have that governs general health data. And folks tend to think that it's a very broad law covering all health data, but in reality, it really only covers a very narrow slice of health data. In particular, it governs healthcare providers that bill electronically for their healthcare services, and it covers health plans. And then there are a few ancillary types of entities that it covers, but in particular, it's health plans and healthcare providers that bill electronically for their services.
01:41
Adam Stofsky
Right. So this is not a law that's like, it's a law that's about hospitals and, like, health insurance, basically. That's kind of what it's about. It's about telling these organizations you need to keep all your patients health data private.
01:57
Thora Johnson
That's right. And when HIPAA was passed in 1996, that was the majority of health data. This idea of fitbits and trackers that are collecting health information wasn't really a thing when HIPAA was passed.
02:13
Adam Stofsky
Right? They were like ten years too early.
02:16
Thora Johnson
Well, they were right at the time for the majority of health data, which was the traditional setting in the hospital, in your primary care physician's office, and then your health plans, which are paying for your health coverage. So it was right on the money in 1996.
02:35
Adam Stofsky
So what is HIPAA actually say? Like, what are the main rules that it creates?
02:41
Thora Johnson
So there are really three key pieces of hipaa. There's the privacy rule, which governs uses and disclosures of health information. So when are you permitted to use a patient's health information? Then there is the security rule, which talks about how you keep that health information secure and safe. And then there's the third rule, which is breach notification, which is if there is an impermissible use of disclosure or a cyber attack and the confidentiality of the information is jeopardized, then there's a reporting regime to notify individuals so that they can protect themselves, like getting credit monitoring if their payment information was compromised, and also notifying the federal regulator about the incident.
03:31
Adam Stofsky
Okay, so the law, in other words, the law says, hey, hospital or health plan, you've got a, you can't use this data for other things that other than, I guess, healthcare. Right. But you also have to keep it safe from other people trying to get it, so you can't abuse it and you can't allow others to get it. Is that kind of a crude summary?
03:50
Thora Johnson
It's really good. I mean, you can use health data in that patient setting or plan setting for treatment, payment, and healthcare operations, which is the vast majority of what hospitals and plans are doing. And then for everything else, you need an exception or the individual's authorization. So it's not meant to interrupt the day to day business of providers and health plans, but saying that if you're using it for any purposes outside the normal operations of a health plan or provider, you need the individual's permission. And then the security rule is saying you need to keep it while you're holding that information secure and confidential and protect it.
04:31
Adam Stofsky
Got it. Okay, so when I sign that, like, been photocopied 15 times over, HIPAA notice in the doctor's office for the 85th time.
04:39
Thora Johnson
Yep.
04:40
Adam Stofsky
Sorry, it's just a thing with me. I don't know why I sign them over and over again, but am I.
04:44
Thora Johnson
They're mostly electronic now?
04:46
Adam Stofsky
I don't know. I live in the, I live in the country. We have some. I don't know. Anyway, so the, am I basically saying, hey, doctor, you're allowed to use my, what am I consenting to when I sign that form?
05:01
Thora Johnson
Really good question. You are acknowledging receipt of the provider's privacy notice, which is a disclosure document telling you how they're using your health information, which, generally speaking, is going to say, we can use your health information to treat you, which also would mean releasing your information potentially in a referral situation. We can use your information to process payments so we can share it with your health insurer or as necessary, to collect payment for the services that the provider is rendering. And then healthcare operations, which is really sort of back office admin purposes. So checking for fraud and abuse, proper business management. It's the back office. And then it is saying basically that for anything else, we need your permission, Adam, to use and disclose your health information.
05:58
Thora Johnson
And then it is importantly also telling you that you have a series of rights that are unique to HIPAA that say, hey, Adam, you have a right to see the health information we're creating and maintaining about you. You have a right to make amendments to it if you think it's incorrect. You have a right to get a listing of every place we've disclosed your information that's outside of treatment, payment and healthcare operations.
06:28
Adam Stofsky
Right. Okay, interesting. All right, one more question for this basic intro to HIPAA, and I want you to give a really kind of quick summary because we're gonna have more videos on this. So we've talked about hospitals and health plans.
06:42
Thora Johnson
Challenge accepted.
06:43
Adam Stofsky
Yeah, exactly. See how concise you can explain this. Who else needs to worry about this? I know that, like, HR people need to think about it, or sometimes non hospitals need to think about HIPAA. What is the universe of other people that need to know about this law? I think it's pretty broad. Right.
07:00
Thora Johnson
Well, I'm going to put it into two buckets for you. So let's stick with the health plans and healthcare providers. They don't do everything from soup to nuts for you, the patient. Right. They rely on their vendors. And if they share patient information with their vendors, then those vendors actually become subject to HIPAA and contractual obligations to the hospitals and the providers and the plans, they become what's known as business associates. So anyone providing services to covered entities under HIPAA also have obligations. That's one bucket. The second bucket really relates more to health plans and employers, large employers that self fund their health plans. Those plans are actually subject to HIPaa and create Phi. And that HR department needs to worry about HIPAA compliance for that health plan. That's not good.
08:00
Adam Stofsky
Legalese alert. What's Phi?
08:02
Thora Johnson
Okay. Oh, so patient information in this context.
08:08
Adam Stofsky
Okay, great. Sorry, go on.
08:10
Thora Johnson
I have a whole discussion on Phi another day, but basically patient information.
08:15
Adam Stofsky
Okay, great. So then let me just kind of recap this back to you. There's like two universes of non hospital or, well, health insurance companies that need to think about this. One is all of anyone basically selling to a hospital. Right. A vendor that's providing a vendor providing services. So they sort of become, they like, kind of inherit the HIPAA coverage, essentially, or the requirements of following HIPAA by entering into business with the hospital, getting that patient data. And the other bucket is any company that essentially has a health plan for its employees. They are kind of become an insurer. Right. And they need to follow all these rules about privacy as well. Did I summarize that's a little bit.
08:54
Thora Johnson
Of an overstatement on that second bucket? It's a certain segment of employer health plans, but other than that. That's right. It's just not the entire universe.
09:02
Adam Stofsky
Right, right. Okay. I'm gonna say that's good enough for now. Wow. So you did it. Tora. Really good summary of this, like, pretty complex and important prophecy law. Really appreciate it.
09:13
Thora Johnson
My pleasure.