I spoke at the HxRefactored
conference in Brooklyn this week. The title of my talk was Dancing with
HIPAA and it was intended as an introduction to health care data
privacy and security regulations, practical concerns and -- most
important -- practical solutions to privacy and security issues whether
subject to HIPAA or not. Many issues for this audience will be triggered
by data not gleaned from a health record maintained by a health care
provider or payor. Instead, such data may be released by an individual
(and therefore no longer covered by HIPAA) and mashed up with data feeds
from personal trackers and manually inputted data, put through a health
behavior modification recommendation engine, and -- voila! -- behavior
change recommendations are delivered to an individual. In this context,
the health data is being held in a special-purpose PHR, not an EHR, so
HIPAA rules don't apply and therefore OCR enforcement should not be of
concern -- though the FTC breach notification rules apply and, as we
know, the FTC asserts broad parallel jurisdiction to enforce HIPAA as well.
Here are my slides:
Embedded in the presentation is a fascinating web page posted by the Data Map at Harvard. (Shout out and thank you to Latanya Sweeney, on leave from Harvard to serve at CTO of the FTC. Hat tip to Jane Sarasohn-Kahn
for tweeting a link last week.) A screen shot from this site is used at
the top of this post. Digging deeper through this resource is a
fascinating and rewarding exercise. It describes itself as
an online portal for documenting flows of personal data. It tells you
where your data goes. The goal is to produce a detailed description of
personal data flows in the United States. The effort started with health
data and is expanding to other kinds of personal data.
Check it out.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting