Privacy of health information is receiving a significant spotlight as a result of big technology companies moving into the healthcare industry. While Amazon and Microsoft seem to slip past many headlines, Google is not in the same boat. Various arrangements between Google and systems including the Mayo Clinic, University of Chicago, and Ascension draw concern and fears of Google just taking multitudes of personal information about thousands or millions of individuals. Is the use and obtaining of data inconsistent with regulatory requirements, or is there a permissible basis? Despite the most common statement being that Google is stepping around HIPAA, the most likely answer is that Google (and really many other technology based vendors) can receive the data as a business associate.
Google offers a good example in light of the still newly revealed work with Ascension. As confirmed by Google, Ascension is shifting its infrastructure to private environments maintained by Google, using Google productivity tools (the professional G-Suite is mostly HIPAA compliant), and extending tools designed to help improve clinical quality. Not unsurprisingly, one of the expected outcomes from these efforts is to enhance revenue, which means enabling Ascension to make more money.
In the performance of those services, Ascension is necessarily shifting what likely amounts to all (or nearly) all of its patient data onto Google maintained platforms and servers. Per reports (which no attempt has been made to verify), all of these efforts were done without notifying physicians and other clinicians or patients. The combination of Google and no notice then resulted in a firestorm of statements questioning why Google could take all of the patient data and wild statements that HIPAA was being violated left and right.
Are the statements about violations true? Most likely no.
Why is HIPAA probably not being violated? The answer lies in understanding (at least to some degree) the scope of permissible uses under HIPAA. It is true that two of the more commonly discussed components of HIPAA are the Privacy Rule and the Security Rule. In the context of use and disclosure, the Privacy Rule is the applicable rule. In governing the use and disclosure of protected health information, HIPAA allows covered entities (remember health care providers and health plans) to use and disclose protected health information without consent or notice for treatment, payment, and healthcare operations purposes (45 C.F.R. § 164.506). The uses and disclosures include providing protected health information to business associates to assist with permissible categories.
The category most applicable to the Google (and most technology company) examples is healthcare operations. As a brief side note though, business associates can receive protected health information because a business associate is performing a service or function for or on behalf of the covered entity. Arguably requiring permission to be obtained before information could be sent to a subcontractor would interfere with smooth business operations. The relationship is not without protection though. Any entity qualifying as a business associate is required by regulation and contract to comply with pretty much the entire HIPAA Security Rule and most aspect of the Privacy Rule. If non-compliance occurs, then that would be grounds for terminating the relationship and depending upon the nature of the issue, investigation and remediation by OCR or any other agency that can enforce HIPAA.
Getting back to healthcare operations, it is a term broadly defined within HIPAA. Specifically, the definition states as follows: “Healthcare operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:
(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
(3) Except as prohibited under § 164.502(a)(5)(i), underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;
(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
(6) Business management and general administrative activities of the entity, including, but not limited to:
(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
(iii) Resolution of internal grievances;
(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
(v) Consistent with the applicable requirements of § 164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.” (Definition of health care operations at 45 C.F.R. § 164.501)
As the definition demonstrates, healthcare operations covers a broad array of activities that go into the running of a business. Thinking about Google and Ascension, operations could include quality assessment and improvement, business planning, and many other issues. Disclosure of protected health information for a vendor to perform those functions is clearly allowed under HIPAA.
Aside from a services agreement covering the scope of what will be performed, the other primary requirement is a business associate agreement (“BAA”). The terms of a BAA are mostly dictated by the HIPAA regulations, which can be summarized (as already done above) as pushing down most compliance obligations to the business associate.
The discussion does focus on a business associate using the protected health information entrusted to it for the benefit of the covered entity (or entities) that it is working with. A business associate cannot necessarily turnaround and independently commercialize the data, such as by selling it or using it for marketing. However, a business associate could aggregate the data with other protected health information that it holds for purposes of further enhancing the services that it provides. Such use does not translate to carte blanche use, but it can be expansive.
The one area for attention though is the ability to de-identify protected health information. The Privacy Rule sets out two methods by which data can be de-identified (45 C.F.R. § 164.514(a, b, and c). If data are appropriately de-identified, then HIPAA no longer applies. However, what may no longer be an academic argument is whether data can truly be de-identified given the plethora that exists and the variety of sets that can be combined to re-identify information that was previously believed to be completed de-identified. That is a real concern, but not one that can be readily answered. Arguably, that line of thinking hints at a gap in HIPAA as opposed to an instance of non-compliance.
While arrangements between healthcare organizations and technology companies should be done carefully, the mere existence of a relationship is not a sign of a violation or other non-compliance. As such, names and false perceptions can be deceiving.
Matthew Fisher, a partner at Mirick O’Connell and chair of firm’s Health Law Group, specializes in HIPAA and data privacy.