Why HIPAA matters even if you’re not a “covered entity”
The HIPAA privacy rule only applies to "covered entities." This generally means insurance plans, healthcare clearinghouses, and medical providers. If your company is using heath information but isn't a covered entity per the HIPAA statute, there are a couple reasons you might still need to pay attention to HIPAA [1].
The first is that state laws may be broader than federal laws. For example, the Texas Medical Records Privacy Act extends the definition of covered entity to any business "assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." So even if the US government does not consider your business to be a covered entity, the State of Texas might.
The second is that more recent privacy laws look to HIPAA. For example, it's not clear yet what exactly California's new privacy legislation CCPA will mean in practice, even though the law went into effect at the beginning of the year. Because HIPAA is well established and guidance documentation, companies needing to comply with CCPA are looking to HIPAA for precedent.
The connection between CCPA and HIPAA may be formalized into more than an analogy. There is a proposed amendment to CCPA that would introduce HIPAA-like expert determination for CCPA.
If you would like to discuss HIPAA deidentification or data privacy more generally, let's talk.
More on HIPAA- Expert determination
- Why does Safe Harbor prohibit dates of service?
- Three-digit zip codes and data privacy
[1] I advise lawyers on statistical matters, but I am not a lawyer. Nothing here should be considered legal advice. Ask your legal counsel if you need to comply with HIPAA, or with state laws analogous to HIPAA.