Think all of your health information is automatically “protected health information”?
Many consumers assume that if information is related to their healthcare, then regulations surrounding the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will require agencies to protect it. That’s true for “covered entities,” but some organizations that handle personal health information may not qualify as such.
According to the U.S Department of Health and Human Services (HHS), covered entities are one of the following:
- A healthcare provider
- A health plan
- A healthcare clearinghouse
In addition, any business associates that help a covered entity “carry out its health care activities and functions,” must also abide by HIPAA regulations.
But with an explosion of direct-to-consumer offerings, more people are sharing their health information directly with an array of vendors, who may not fall within these definitions—like companies that provide fitness apps.
To complicate matters more, regulations surrounding mobile apps and mobile devices may have different requirements, depending upon which definitions apply.
In an article for Health Info Security, Marianne Kolbasuk McGee writes about these complicated dynamics—which you can read about here: