HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance refers to a series of regulatory standards set by the US government, by the Department of Health and Human Services.
HIPAA’s Privacy Rule set national standards for the protection of individually identifiable health information, including those by health care providers, who conduct standard health care transactions electronically. The Security Rule of 2003 set national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.
HIPAA’s Privacy Rule protects all “individually identifiable health information”, known as Protected Health Information (PHI). “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
An important inference of this is that there are no restrictions on the use or disclosure of de-identified health information. De-itentified health information is Protected Health Information that has been subject to either:
“(1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.” [1]
At Kuva, we contest the premise of shareable de-identified health information. We are also critical of the idea that anonymised information is not identifiable. However, if we accept HIPAA’s premises and assumptions at face value, this implies that no health information that has not been de-identified should be shared or discussed online using anything less than completely private communications platforms. This includes online health consultations with clients.
HIPAA compliance and proprietary platforms
Like the UK’s DTAC for health and social care, there is no official HHS-mandated HIPAA certification process or accreditation. HIPAA offers a set of regulatory standards for privacy and security, not a certification, and not a set of technological standards to be complied with. Companies who claim to be certified as HIPAA compliant have either passed a third-party organisation’s HIPAA compliance programme or have decided for themselves that they satisfy HIPAA’s standards:
“The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.”
So, when a company claims HIPAA compliance, it means that they or a third party have interpreted their product as being compliant with HIPAA regulations. For example, when Zoom states that it enables HIPAA Compliance, it means that it has defined the ways its platform supports HIPAA compliance, according to its interpretation of the HIPAA Standards (see Zoom’s HIPAA Compliance Datasheet here: https://zoom.us/docs/doc/Zoom-hipaa.pdf Accessed 05/07/2021).
Reasons why a company may not remain HIPAA compliant in the future include changes to technologies it uses or the ways in which they are used; or changes to business objectives, procedures or policies. HIPAA regulations may also change in the future. [2]
Kuva and HIPAA
Kuva’s interpretation of privacy is more stringent than other platforms that consider themselves HIPAA compliant. In Kuva’s eyes, HIPAA compliance would require that communications platforms do not have access to unencrypted health providers’ clients’ records or any identifying information at all; that they do not collect or store identifying data (such as IP address, information from conversations, or video recordings); and that they do not use clients’ data for targeted advertising. Kuva does not collect, store or sell data. Our systems generate only what data is necessary to execute its core functions, information which is destroyed as soon as it is no longer needed.
[1] Source: US Government, HHS website. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html Accessed 05/07/2021.
[2] Source: HIPAA Journal. https://www.hipaajournal.com/what-is-hipaa-certification/ Accessed 05/07/21.
