I spoke at the HxRefactored conference in Brooklyn this week. The title of my talk was Dancing with HIPAA and it was intended as an introduction to health care data privacy and security regulations, practical concerns and — most important — practical solutions to privacy and security issues whether subject to HIPAA or not. Many issues for this audience will be triggered by data not gleaned from a health record maintained by a health care provider or payor. Instead, such data may be released by an individual (and therefore no longer covered by HIPAA) and mashed up with data feeds from personal trackers and manually inputted data, put through a health behavior modification recommendation engine, and — voila! — behavior change recommendations are delivered to an individual. In this context, the health data is being held in a special-purpose PHR, not an EHR, so HIPAA rules don't apply and therefore OCR enforcement should not be of concern — though the FTC breach notification rules apply and, as we know, the FTC asserts broad parallel jurisdiction to enforce HIPAA as well.
Here are my slides:
Embedded in the presentation is a fascinating web page posted by the Data Map at Harvard. (Shout out and thank you to Latanya Sweeney, on leave from Harvard to serve at CTO of the FTC. Hat tip to Jane Sarasohn-Kahn for tweeting a link last week.) A screen shot from this site is used at the top of this post. Digging deeper through this resource is a fascinating and rewarding exercise. It describes itself as
an online portal for documenting flows of personal data. It tells you where your data goes. The goal is to produce a detailed description of personal data flows in the United States. The effort started with health data and is expanding to other kinds of personal data.
Check it out.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
