Redefining Identifiable Data

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

HIPAA provides guidelines to establish the permissible use of an individual’s personal health information (PHI). Seems pretty straightforward for the most part. And it was – for the most part. Until we start to dig a little deeper and look at the resources that are now in play (which were not 20+ years ago when HIPAA was created) when it comes to healthcare, artificial intelligence, and big data.

The Relationships
Artificial intelligence (AI) is providing the health care industry with a fast-paced growth market and opportunities that cannot even be fathomed. These products and relationships come in many forms but often have the same objective, and that is to align the goals of the healthcare industry investors and reduce medical costs for the patient. To do that, they gather records from big data companies that have been collecting the information across endless platforms that we as consumers use. You might be thinking that you “opt-out” and aren’t going to be a candidate. But what about the diet app that you use, the frequent shopper card, or the online surveys that you take? These are all collecting separate pieces of information on you, which perhaps at first consideration might seem irrelevant. That data can’t link to you specifically in any detrimental or valuable way. But – when this data is assembled and combined in the right way, it can be invaluable. And if it ends up in the wrong hands, it can paint a clear picture of you, your habits, your medical conditions, etc.

The question from here is, when do those individual components become HIPAA protected? If they stand alone, they are possibly not identifying any one individual, and therefore not in need of protection, but when put together with the other information, they can target you specifically without much doubt. And the insight they can provide is incredibly detailed.

For example, if Google is selling the analytics from your phone in regard to your location, which shows you at the doctor’s office on a specific day, combined with your grocery or pharmacy frequent shopper card transaction of your prescription purchase of that same day, and then further combined with your smartwatch heart rate and exercise pattern…well, one could consider that not only identifiable but also quite valuable. This collective insight can be used to learn the habits of individuals with certain health ailments – that are pulled from the doctor visit, combined with the prescription pickup. And how those individuals are identifying risk factors with diet and exercise habits – data pulled from different sources with your frequent shopper card and your smartwatch health app. It isn’t that this data is dangerous to your identity as a single record, it is the fact that could be considered identifiable when combined. So, at which point does it merit HIPAA protection?

There are not straightforward answers today. But with opportunity will come exploitation and unfortunately, it’s no secret that many HIPAA regulations are outdated and do not coincide with today’s technology or threat landscape. While we hope to see some new regulations or clarifications regarding the protection of data that could be combined to identify an individual, we’ll have to wait and see how this plays out.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE