HIPAA For HealthTech

Darshan: Today's recording is based on the idea that we should be discussing privacy more and we should be talking about what privacy means, and we should be talking about what the legal requirements are versus what is a good thing to do and what is smart to do. Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast, with host, Darshan Kulkarni. You can find the show on Twitter, @DarshanTalks, or the shows website at darshantalks.com. Darshan: When we think about it, again, we'll go back to our four major pillars of patient centricity. The four major pillars of patient centricity are transparency, number two is the congress of that, which is privacy. The third one is innovation, and the last one is access, i.e., patients want information. They want to make sure their information is private and controlled, and in a way that's not just being spread, that they have access to innovations and access to new and updated technologies. Finally, the most important part, which is being able to actually access those innovations in a transparent and private way. So, we're only talking about one aspect of it, which is the privacy aspect of it. When we start discussing that privacy aspect, the most common topic to come up is HIPA. It's important to recognize that when you're talking about HIPA, it's not just the only game in town. There are state laws that also have coverage for health information and privacy associated with that health information. Darshan: It's also important to recognize that it's only relating to health, so there are non-HIPA laws that control the privacy associated with that information, the most famous of which right now is GDPR. There's also CCP and Like as well. The converse of that, which is just because something has health information, doesn't necessarily make it subject to HIPA, and that's actually really surprising to a lot of people. This was sort of interesting to me, because I started looking up some information around HIPA and I was surprised that IRB's and privacy boards can potentially waive the need for HIPA authorizations on cases. So, just because it is a health-based scenario and just because it may be even done in the context of a physician relationship, doesn't necessarily mean that HIPA is always applicable. A privacy board or an IRB may be be able to waive that requirement. The next thing to look at is the idea that the information is always unavailable. You have to recognize that if you're doing a study, the information should be the information that is being protected. Darshan: If you're collecting that information, it has to be focused and it has to be responsive to the study itself. So, you can't just go willy-nilly collecting everything you wanted to collect, just because it would be interesting. So, let's take a step back and let's talk about why this came about. So, I had a discussion on Twitter a little bit ago around HIPA and how health tech companies manage HIPA versus what is actually required. I'm not going to name names or anything, quite honestly, because I don't even remember the names. It was just an interesting conversation and I thought that it's a valid conversation to have. So, HIPA, again, stands for the Health Insurance Portability and Accountability Act, off 1996. So, it's one of the first privacy laws that we think of and people therefor think that it's all encompassing, it's the broadest, it's the mother of all privacy laws. Just because it's the mother, doesn't mean it's the most encompassing. What HIPA was set up to do was provide the ability to transfer and continue health insurance coverage for millions of people. Darshan: Surprisingly, it also was supposed to help control health fraud and help with managing industry wide standards of health ...