On June 1, 2018, an OCR ALJ decision imposed civil monetary penalties against the University of Texas MD Anderson Cancer Center for data that was on two lost thumb drives and a stolen laptop. MD Anderson had challenged the original determination by OCR that the data was improperly accessed, used or disclosed. They also appear to have put forth an argument that the data was research information and therefore not subject to HIPAA. The ALJ’s decision indicated the information was ePHI subject to HIPAA. Could there be an instance where individually identifiable health information created or received for a research project at an academic medical center is not PHI? Absolutely, but it generally depends on the legal status of the entity creating, maintaining or receiving the data.
In fact, the same data about the same patient/subject held by different components of the same legal entity could potentially be covered by HIPAA in the hands of one component and not covered by HIPAA in the hands of another component. If the entity meets the definition of a covered entity under HIPAA, generally any individually identifiable health information created, maintained or received by the entity is considered PHI. One exception is if the organization has declared itself as a hybrid entity. Under the hybrid designation, the organization must identify what functions, business units or other components are within its health care component and thus covered by the HIPAA regulations. The remaining business units and components would be considered outside the covered component and not subject to HIPAA.
If the organization designates research outside the healthcare component, then the data held for purposes of the research project in the business unit that is outside of the healthcare component would not be PHI. However, this can get tricky. If the researcher enrolls a subject and has a screening or other diagnostic test performed on the subject and that service is performed by the covered component, then the subject’s individually identifiable information in the hands of the covered component would be PHI. This would also be true of any data collected by the covered component in the normal course of treating the patient/subject the researcher may wish to access. Once the data is disclosed to the researcher under an authorization or other HIPAA exception, the data would no longer be PHI in the hands of the researcher. So, the exact same data has a different status as it relates to HIPAA.
The question of whether individually identifiable health information is PHI is not related to the reason for which is was created, maintained or received but rather the nature of the entity that creates, maintains or receives it. If the entity is a covered entity or the health care component of a hybrid entity under HIPAA the data is PHI. A single legal entity that engages in covered functions under HIPAA but also engages in other activity that would not be considered covered functions can designate itself as a hybrid entity under HIPAA. But if the entity elects not to make this designation or designates research as inside the healthcare component, then any individually identifiable health information the organization holds is PHI.
It appears from the ALJ’s decision MD Anderson did not make such a designation. The ALJ specifically references the regulatory section of HIPAA that discusses the hybrid entity designation. However, interestingly the ALJ also stated, “I make no findings regarding whether Respondent could have availed itself of this option and exempt certain ePHI from non-disclosure requirements. Suffice it today that Respondent does not argue it made any effort to do so.”
This finding is just one example of why it is important to try to ensure an organization is clear on its status under HIPAA. If the organization is a covered entity with both covered and non-covered components, the designation of hybrid status must clearly state what is in and what is out. In addition, workforce members must be trained regarding the status of various business units and functions because the same data can potentially have a different status depending on where it is held. It could be easy to run afoul of the HIPAA regulations if this is not clearly understood.
Another consideration is to simply engage in good privacy and security practices. Even if the data is not protected by HIPAA if any component of an organization is maintaining, creating or receiving information such as an individual’s name, social security number, and treatment information there should be protections for the data. While getting data outside the clutches of HIPAA might help an organization avoid HIPAA civil monetary penalties, that does not avoid potential state law issues or the court of public opinion.