Health Insurance Portability & Accountability Act (HIPAA) of 1996
Please refer to Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/. “Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.”
HIPAA governance only applies to three types of Covered Entities:
Healthcare providers who transmit any health information electronically in connection with certain transactions
Healthcare clearinghouses are public or private entities, including a billing services, re-pricing companies, community health management information systems or community health information systems, and “value-added” networks and switches, that does either of the following functions:
Emergency Contact Data does not meet the legal / government definition of any of the above Covered Entities. Nor does Emergency Contact Data sell or manage, collect or process any payment(s) relative to any type of healthcare and / or insurance plan.
Health Insurance Portability & Accountability Act (HIPAA) of 1996; Disclaimer
Individuals and businesses are encouraged to review the Health Insurance Portability and Accountability Act (HIPAA) that was passed by Congress in 1996.
HIPAA Privacy Rule
The United States Department of Health and Human Services (HHS) published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of COVERED ENTITIES: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.
Emergency Contact Data is not one of the three types of COVERED ENTITIES and is therefore exempt from and not governed by the HIPAA Privacy Rule.
Protected Health Information (PHI)
To understand the possible impact of the Privacy Rule on their work, researchers will need to understand what individually, identifiable health information is and is not protected under the Rule. With certain exceptions, the Privacy Rule protects a certain type of individually identifiable health information, created or maintained by COVERED ENTITIES and their business associates acting for the covered entity. This information is known as “protected health information” or PHI.
The key to understanding what HIPAA governs is to be clear on the definition of a COVERED ENTITY and the definition of PHI. For information to be PHI it has to be created or maintained by one of the three COVERED ENTITIES. ECD does not create or maintain the information that an individual posts to his account. The individual posts and stores non-PHI information in his account that he manages and controls. Neither the ECD Member nor ECD creates, stores or possesses PHI.
The information provided to ECD is owned by an adult who voluntarily posts information to his own account controlled by himself. The posting party voluntarily accesses the blank, ECD templates that he chooses to use. ECD does not direct the posting party to post any information. All information posted to ECD is voluntary. The ownership and management of the information is never transferred to ECD. The information is managed by the ECD member in accordance with the ECD Membership Agreement, which is read and electronically acknowledged prior to an adult becoming an ECD member. The individual entering the information is not a COVERED ENTITY that is governed by the HIPAA Privacy Rule and the information is not Protected Health Information (PHI) and ECD is not a COVERED ENTITY governed by HIPAA.
Note: Think of ECD as a blank, paper form for organizing one’s medical history. In this case, the potential ECD member requests and uses the form provided by ECD. The form is provided by ECD. The individual voluntarily creates his or her medical history on the form and then places the form in his account for future utility. The individual creates and / or maintains his information. What the individual does with form and the information is totally under the purview of the individual.
The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a COVERED ENTITY or its business associates acting for the COVERED ENTITY that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). Neither the individual nor ECD is a covered entity.
ECD is a system of blank templates that an individual will voluntarily post information to. The posted information is known and controlled by the individual. ECD is similar to a paper note an individual would carry in their wallet or purse that has information like their blood type on it that an individual wishes to be known in case of a medical event.
ECD does not enter or manage the information within an individual’s profile or cause the information to be accessed or transmitted. The individual ECD member is storing his or her information on the templates within their private ECD account. The individual’s information has never left the control of the individual; therefore the individual creates the information, stores the information in his account and then provides his own access points to his own information. The individual causes the information to be accessed and used to manage his or her care.
ECD Notifications to Medical Personnel
The note below is the first thing first responders or ER personnel see when visiting the ECD page that will display the member’s data.
Note to Emergency Responder: A person’s legally protected right to create and publicize their own health data is not subject to HIPAA and PHI guidelines. This individual or this individual’s guardian entered the information presented in their Emergency Profile for its use in treatment rendered by first responders.
By way of agreement with ECD, this individual or this individual’s guardian gives their permission for the use of this data. This website acts only to facilitate the presentation of information by its enrollees who have sole responsibility for the accuracy of posted information.
In Summary the ECD member agrees to have his / her information stored and displayed via the terms of the Membership Agreement. Since ECD only stores information that belongs to an individual, the storage nor the facilitation of data is governed by the HIPAA Privacy Rule, as neither ECD nor the individual is a COVERED ENTITY governed by HIPAA.
HIPAA does not control or limit an individual’s right as to what an individual can or cannot do with information that is owned and controlled by the individual. If HIPAA could govern what the individual does with his / her own, medical knowledge about himself an individual could not wear a diabetic bracelet or carry a piece of paper in their wallet that displays their blood type. The ECD members are exercising their freedom of speech right under the First Amendment to the Constitution.
Is speech on the Internet entitled to as much protection as speech in more traditional media?
Yes, the U.S. Supreme Court ruled in Reno v. ACLU (1997) that speech on the Internet receives the highest level of First Amendment protection. The Supreme Court explained that “our cases provide no basis for qualifying the level of First Amendment scrutiny that should be applied to this medium.”