Health Insurance Portability & Accountability Act (HIPAA) of 1996
Please refer to Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/. “Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.”
HIPAA governance only applies to three types of Covered Entities:
Emergency Contact Data does not meet the legal / government definition of any of the above Covered Entities. Nor does Emergency Contact Data sell or manage, collect or process any payment(s) relative to any type of healthcare and / or insurance plan.
Health Insurance Portability & Accountability Act (HIPAA) of 1996; Disclaimer
Individuals and businesses are encouraged to review the Health Insurance Portability and Accountability Act (HIPAA) that was passed by Congress in 1996.
HIPAA Privacy Rule
The United States Department of Health and Human Services (HHS) published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of COVERED ENTITIES: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.
Emergency Contact Data is not one of the three types of COVERED ENTITIES and is therefore exempt from and not governed by the HIPAA Privacy Rule.
Protected Health Information (PHI)
To understand the possible impact of the Privacy Rule on their work, researchers will need to understand what individually, identifiable health information is and is not protected under the Rule. With certain exceptions, the Privacy Rule protects a certain type of individually identifiable health information, created or maintained by COVERED ENTITIES and their business associates acting for the covered entity. This information is known as “protected health information” or PHI.
The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a COVERED ENTITY or its business associates acting for the COVERED ENTITY that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). Neither the individual nor Emergency Contact Data is a covered entity.
Emergency Contact Data is a system of blank templates that an individual will voluntarily post information to. The posted information is known and controlled by the individual. Emergency Contact Data is similar to a paper note an individual would carry in their wallet or purse that has information like their blood type on it that an individual wishes to be known in case of a medical event.
Emergency Contact Data does not enter or manage the information within an individual’s profile or cause the information to be accessed or transmitted. The individual Emergency Contact Data member is storing his or her information on the templates within their private Emergency Contact Data account. The individual’s information has never left the control of the individual; therefore the individual creates the information, stores the information in his account and then provides his own access points to his own information. The individual causes the information to be accessed and used to manage his or her care.
Emergency Contact Data Notifications to Medical Personnel
The note below is the first thing first responders or ER personnel see when visiting the Emergency Contact Data page that will display the member’s data.
Note to Emergency Responder: A person’s legally protected right to create and publicize their own health data is not subject to HIPAA and PHI guidelines. This individual or this individual’s guardian entered the information presented in their Emergency Profile for its use in treatment rendered by first responders.
By way of agreement with Emergency Contact Data, this individual or this individual’s guardian gives their permission for the use of this data. This website acts only to facilitate the presentation of information by its enrollees who have sole responsibility for the accuracy of posted information. In the Terms and Conditions Agreement we include HIPAA release language that covers Emergency Contact Data relative to HIPAA governance.
In Summary the Emergency Contact Data member agrees to have his / her information stored and displayed via the terms of the Membership Agreement. Since Emergency Contact Data only stores information that belongs to an individual, the storage nor the facilitation of data is governed by the HIPAA Privacy Rule, as neither Emergency Contact Data nor the individual is a COVERED ENTITY governed by HIPAA.
HIPAA does not control or limit an individual’s right as to what an individual can or cannot do with information that is owned and controlled by the individual. If HIPAA could govern what the individual does with his / her own, medical knowledge about himself an individual could not wear a diabetic bracelet or carry a piece of paper in their wallet that displays their blood type. The Emergency Contact Data members are exercising their freedom of speech right under the First Amendment to the Constitution.
Is speech on the Internet entitled to as much protection as speech in more traditional media?
Yes, the U.S. Supreme Court ruled in Reno v. ACLU (1997) that speech on the Internet receives the highest level of First Amendment protection. The Supreme Court explained that “our cases provide no basis for qualifying the level of First Amendment scrutiny that should be applied to this medium.”