Patient Foundations and Registries: Privacy Included?

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

Patient foundations are organizations that seek to bring together groups of individuals around a common theme. The theme could be a particular disease, advocacy, pharmaceutical, or any other concept where alignment would be beneficial. Part of the registry’s work may be collecting information about the participating individuals, which information could theoretically be used to advance positive impacts around the central focus of the registry.

Status of the Foundation

What is the status of a patient foundation when it comes to coverage of privacy regulations, with the primary regulation to consider being HIPAA? The typical answer will be a complete disconnect. The usual patient foundation is organized to represent groups of individuals. The foundation could be independently created by individuals of like mind or sponsored by another organization (oftentimes the sponsor can be a pharmaceutical company, which creates a host of issues outside of privacy).

Thinking about the corporate structure of the foundation, will it qualify as a covered entity or business associate under HIPAA? For a quick refresher, a covered entity is a health plan, a healthcare provider (that electronically bills), or a healthcare clearinghouse. Does a foundation fit any of those definitions? No, which means the foundation is highly unlikely to be a covered entity.

Turning to the business associate definition, a business associate is an entity that interacts with protected health information for or on behalf of a covered entity, which involves providing a service to the covered entity. Again, a foundation is unlikely to qualify as a business associate because it is an organization designed to benefit the participating individuals and not provide services to a covered entity.

As the quick breakdown demonstrates, the patient foundation will more often than not fall outside the coverage of HIPAA. That means the privacy regulations under HIPAA will not apply to the foundation or any of the data collected by the foundation.

Foundation Patient Registries

Before considering the impact on data collected by foundations, let’s first consider what data are being collected. For many foundations, the data collected are for patient registries. In the case of most foundations, the registry is composed of self-reported data. Being self-reported means the data are collected by the individuals from their own devices or manually entered and then compiled in a single location. The data may not necessarily be clinically valid or otherwise trustworthy for clinical purposes. Given the vague definition of the registry, there is no guarantee that the registry will contribute to any defined purpose or outcome.

In some instances, a foundation may claim that the registry is “HIPAA certified” or “HIPAA compliant.” Either statement should be taken with more than a few grains of salt. First, HIPAA certification does not exist, so any statement or assertion in that regard should be wholly disregarded. Leaving that aside, any statement about the application of HIPAA to the registry is completely voluntary if the foundation is not subject to HIPAA. If application of HIPAA is voluntary, then the foundation can modify its stance at any time and individuals may not be able to exercise the rights afforded by HIPAA. All of those considerations should be more clearly stated to avoid creating misplaced impressions and misaligned expectations.

Another aspect of HIPAA likely not being applicable is what happens in the event of a data breach. If HIPAA does not apply, then notification will not be mandated either to the impacted individuals or the Office for Civil Rights. As the piling up of issues hopefully demonstrates, just saying HIPAA applies can create false expectations and uncertain outcomes.

Possible Fallout

What happens is a foundation claims that its registry is run in accordance with HIPAA protections and that turns out not to be true? If the statements are deceptive, then the statements could be viewed as false or misleading and subject to enforcement by the Federal Trade Commission. As with any potential agency enforcement though, any result could take a long time to come if it will come at all. Negative publicity could be an outcome, but that is likely little consolation if an exposure or misuse of the data occurs.

The Takeaways

The key takeaway from this discussion would be that, as with so many things in the world, an assertion about privacy should not be taken at face value. While patient foundations and the patient registry operated by the foundation can provide value or benefit, a full understanding of the operation should be obtained before using. Even where intentions are good, the full set of facts or understanding could be missing that would better inform operations and interactions.

Acknowledgment: The idea for this post came from a reader and I want to offer a thank you for raising the concern. It is always interesting to learn about new areas of the healthcare industry and the interplay of patient foundations and registries was no exception.

This article was originally published on The Pulse blog and is republished here with permission.