HIPAA: DBAs, Data, and the Law

With all of the hype around data being “the oil of the 21st century” and the rise of “the algorithm economy,” it seems reasonable to make it a priority to learn more about how laws affect our lives as DBAs. The first law that I have targeted is probably the best-known data law in the U.S.—HIPAA, the Health Insurance Portability and Accountability Act of 1996.

Similar to most major federal laws, HIPAA has many clauses and provisions, quite a few of which have little to do with data. Title II is the section that encompasses most of the important rules that apply to healthcare data: privacy, security, unique identifiers, and so forth, so I’ll discuss a variety of those issues here. The first thing to note about HIPAA is that it applies to healthcare providers and organizations that support healthcare providers.

Its main points, for our purposes are:

The Privacy Rule: This section of the law regulates how we can use or disclose protected health information (PHI). Not only does this apply to organizations that you’d expect, such as health insurers or medical service providers (aka “covered entities”), but also organizations that provide these services, such as data center hosting companies or lab companies. These independent organizations are called business associates, and their role in all of this is a big fat deal. Any covered entity or business associate that inappropriately shares PHI is in big trouble and has breached the law. Anyone whose personal data is breached must be notified, as well as the government regulators, whenever this happens. Call your lawyers. Ironically, many people have an impression that these rules apply to big breaches involving the data of thousands of persons. Not so. The majority of breaches and time spent on remediation involves five or fewer patients.

The Security Rule: This section of the law deals specifically with electronic protected health information within three specific areas of security safeguards: administrative, physical, and technical. One of the key words in the preceding paraphrase is “electronic.” However, that misleads many covered entities and their business associates into thinking that it does not govern written or oral communications, when in fact it does. For example, the pacemaker vendor cannot yell patient information across the nurse’s station in the cardiac care unit of a hospital where others can hear it. An interesting aspect of these rules is that they are somewhat vague, they include an injunction to not let harm come to anyone just because you’re following the HIPAA rules, and it’s going to be frustrating if your organization hasn’t already dealt with these enough to have a thorough playbook. If item C applies to you, again, call your lawyer.

The Unique Identifiers Rule: This section of the law describes how covered entities must apply the National Provider Identifier. If you happen to be working with big data projects, there are specific rules and procedures to de-identify electronic medical records (EMRs) so that you can do analysis in aggregate, apply data science algorithms, and so forth.

When the law was passed, enforcement of its provisions was not immediate. In fact, enforcement was quite lax up through the mid-2000s. In addition, the federal government provided a large stimulus to accelerate the adoption of EMRs during the time of the Obama administration.

Today, on the other hand, breaches can result in big fines or other corrective actions. Commonly, investigations start due to complaints, but may also come from occasional random audits of covered entities or business associates. Are you a remote consulting DBA to a healthcare practice of five doctors? Then, yes, you might be audited. The most common breaches include activities such as misuse or disclosure of PHI, no protection in place for PHI, or patients unable to access their PHI.

One final note, however, is that the U.S. Department of Health and Human Services (HHS) takes “attitude” into account. If covered entities or business associates were making a documented good-faith effort to stay in compliance with the law and merely messed up on interpretation or conduct, they’ll receive much better treatment than those shown to be simply negligent, ignorant, or apathetic.

Learn More

I recently conducted a webinar with Jill Girardeaux, an attorney with Womble Carlyle specializing in HIPAA issues. You can watch the video of the webinar at The landing page also lists a variety of useful and helpful links to HIPAA information provided by HHS.