On Demand Library
Created in partnership with
What kinds of companies need to worry about health data?
3:45
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Overview of US Privacy Laws
GDPR - What kinds of data are protected?
Individual Rights in Data Privacy Law
GDPR vs. CCPA
Lifecycle of a Data Breach
Transcript

00:07
Adam Stofsky
Right. So, Tora, can you just walk us through all the different categories of companies that need to think about or worry about having or using personal health information? 


00:19
Thora Johnson
Adam, that's such a great question. And the answer to that today is actually different than it would have been six months ago. That's how quickly the area of health data is evolving. First and foremost, I worry about providers and health insurance plans. Those are traditionally governed by HIPAA, as well as any entity that actually supports those providers. And health insurance plans provide treatment and help with the healthcare operations of those entities. But that's just the inner core of who has to worry about health data. 


00:57
Adam Stofsky
What are those companies called? 


00:58
Thora Johnson
The providers and the health insurance companies are called covered entities. And then their service providers that help them with treatment, payment, and healthcare operations are called business associates. 


01:10
Adam Stofsky
Okay, so covered entities and business associates need to worry about HIPAA? 


01:15
Thora Johnson
That's right. And to be clear, just to anticipate one of your questions, Adam, a business associate does not need to be a company that traditionally thinks of themselves as being in the healthcare space. It's anybody that is helping those covered entities fulfill their treatment, payment, and healthcare operations. So it can be an accounting firm that is helping a provider's office manage their books. It can be a document shredding company. And those business associates may have lines of business that fall within the healthcare sphere and outside the healthcare sphere. 


01:47
Adam Stofsky
Okay, so what's next? We got HIPAA, covered entities, business associates. What's next? 


01:52
Thora Johnson
Well, the innermost sphere is your covered entities, then your business associates. And then if you come out from there, then we in the United States today have seen states that are adopting their own consumer privacy statutes and protections. And those states all categorize some form of health information as sensitive information and put some guardrails around the collection of that sensitive information, including health information. The definition of what health information is varies by state, and we can have a whole conversation about that. But that's the next sphere. And then what we've seen is we've now have three states with consumer health data privacy protections. So moving outside the sphere of HIPAA, moving outside the sphere of sensitive information that includes health information that requires consent. Now we're really seeing laser focus by three states on a broader category of health information. 


03:02
Thora Johnson
The most sweeping is the state of Washington. And it is bringing in to the fold companies that you wouldn't traditionally think of as being healthcare providers. So, anybody that is dispensing a pharmaceutical, which may be over the counter, so think your local retail store maybe swept into Washington's. My health, my data. So, it's a very expansive all companies today sitting in July of 2023 should be asking themselves, am I collecting health information under the patchwork of US. Federal and state privacy laws? 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly
Terms of Use
Privacy