On Demand Library
Created in partnership with
What Can Health Organization Do With Patient Data Under HIPAA
2:58
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Transcript

00:07
Adam Stofsky
So you've got your got HIPAA, which essentially protects personal health information possessed by health providers, hospitals, medical practices, and insurers. And then you have all these business associates. So, given that what is HIPA actually require them to do or not do. 


00:28

Thora Johnson
So there are really three cornerstones to HIPAA privacy, security, and breach notification. So if you're subject to HIPAA, either as a covered entity or a business associate, there are guardrails about the uses and disclosures of that individually identifiable health information, known as Phi. At its core, the Privacy Rule requires and permits the use of Phi for treatment, payment, and healthcare operations. And just about everything else requires the individual patient's authorization to use that data in another way. 


01:05

Adam Stofsky
Got it. So I'm a hospital. I have tons of data that I'm getting from my patients. They come in, they have scheduling, they pay me, I have notes from whatever. So I can use that information for treatment decisions in essentially unlimited way. But anything else, I need to get their permission. Like if I want to send them marketing emails or I guess do anything else. Right? 


01:29

Thora Johnson
That's exactly right. So, treatment, payment, and healthcare operations, you don't need the individual's consent if you are going to market to them third party services. Right. There's nothing inherently wrong adam that's a really good point. Nothing inherently wrong with a healthcare provider marketing their own services and products. The problem would be if they were marketing a third party product or service using their patient's individually identifiable information. And actually, it doesn't even need to be marketing. There is an enforcement action that was taken against a very small provider because they used their patient list to solicit patients for a political campaign. And that is not treatment, payment, or healthcare operations and definitely requires consent. 


02:18

Adam Stofsky
Right. Wow. That's interesting. Seems a little inappropriate. 


02:21

Thora Johnson
Right? And they got held accountable. But what's interesting there is certainly the provider didn't use any health information per se, just used contact information. But the definition of what is Phi is so broad, it includes demographic information. In the hands of a provider or health plan, demographic information is exactly what you think it's contact information. So the use of the patient's names and mailing addresses to solicit for the campaign was an impermissible use of hi. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly