-
HIPAA Disclaimer
Health Insurance Portability & Accountability Act (HIPAA) of 1996
Please refer to Individuals’ Right under HIPAA to Access their Health Information 45 CFR ยง 164.524 at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/. “Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.”
HIPAA governance only applies to three types of Covered Entities:
- Healthcare providers who transmit any health information electronically in connection with certain transactions
- Health plans
- Healthcare clearinghouses are public or private entities, including a billing services, re-pricing companies, community health management information systems or community health information systems, and “value-added” networks and switches, that does either of the following functions:
- Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
- Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Emergency Contact Data does not meet the legal / government definition of any of the above Covered Entities. Nor does Emergency Contact Data sell or manage, collect or process any payment(s) relative to any type of healthcare and / or insurance plan.
Health Insurance Portability & Accountability Act (HIPAA) of 1996; Disclaimer
Individuals and businesses are encouraged to review the Health Insurance Portability and Accountability Act (HIPAA) that was passed by Congress in 1996.
HIPAA Privacy Rule
The United States Department of Health and Human Services (HHS) published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of COVERED ENTITIES: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.
Emergency Contact Data is not one of the three types of COVERED ENTITIES and is therefore exempt from and not governed by the HIPAA Privacy Rule.
Protected Health Information (PHI)
To understand the possible impact of the Privacy Rule on their work, researchers will need to understand what individually, identifiable health information is and is not protected under the Rule. With certain exceptions, the Privacy Rule protects a certain type of individually identifiable health information, created or maintained by COVERED ENTITIES and their business associates acting for the covered entity. This information is known as “protected health information” or PHI.
- The key to understanding what HIPAA governs is to be clear on the definition of a COVERED ENTITY and the definition of PHI. For information to be PHI it has to be created or maintained by one of the three COVERED ENTITIES. Emergency Contact Data does not create or maintain the information that an individual posts to his account. The individual posts and stores non-PHI information in his account that he manages and controls. Neither the Emergency Contact Data Member nor Emergency Contact Data creates, stores or possesses PHI.
- The information provided to Emergency Contact Data is owned by an adult who voluntarily posts information to his own account controlled by himself. The posting party voluntarily accesses the blank, Emergency Contact Data templates that he chooses to use. Emergency Contact Data does not direct the posting party to post any information. All information posted to Emergency Contact Data is voluntary. The ownership and management of the information is never transferred to Emergency Contact Data. The information is managed by the Emergency Contact Data member in accordance with the Emergency Contact Data Membership Agreement, which is read and electronically acknowledged prior to an adult becoming an Emergency Contact Data member. The individual entering the information is not a COVERED ENTITY that is governed by the HIPAA Privacy Rule and the information is not Protected Health Information (PHI) and Emergency Contact Data is not a COVERED ENTITY governed by HIPAA.
- Note: Think of Emergency Contact Data as a blank, paper form for organizing one’s medical history. In this case, the potential Emergency Contact Data member requests and uses the form provided by Emergency Contact Data. The form is provided by Emergency Contact Data. The individual voluntarily creates his or her medical history on the form and then places the form in his account for future utility. The individual creates and / or maintains his information. What the individual does with form and the information is totally under the purview of the individual.
The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a COVERED ENTITY or its business associates acting for the COVERED ENTITY that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). Neither the individual nor Emergency Contact Data is a covered entity.
Information Management
Emergency Contact Data is a system of blank templates that an individual will voluntarily post information to. The posted information is known and controlled by the individual. Emergency Contact Data is similar to a paper note an individual would carry in their wallet or purse that has information like their blood type on it that an individual wishes to be known in case of a medical event.
Emergency Contact Data does not enter or manage the information within an individual’s profile or cause the information to be accessed or transmitted. The individual Emergency Contact Data member is storing his or her information on the templates within their private Emergency Contact Data account. The individual’s information has never left the control of the individual; therefore the individual creates the information, stores the information in his account and then provides his own access points to his own information. The individual causes the information to be accessed and used to manage his or her care.
Emergency Contact Data Notifications to Medical Personnel
The note below is the first thing first responders or ER personnel see when visiting the Emergency Contact Data page that will display the member’s data.
Note to Emergency Responder: A person’s legally protected right to create and publicize their own health data is not subject to HIPAA and PHI guidelines. This individual or this individual’s guardian entered the information presented in their Emergency Profile for its use in treatment rendered by first responders.
By way of agreement with Emergency Contact Data, this individual or this individual’s guardian gives their permission for the use of this data. This website acts only to facilitate the presentation of information by its enrollees who have sole responsibility for the accuracy of posted information. In the Terms and Conditions Agreement we include HIPAA release language that covers Emergency Contact Data relative to HIPAA governance.
In Summary the Emergency Contact Data member agrees to have his / her information stored and displayed via the terms of the Membership Agreement. Since Emergency Contact Data only stores information that belongs to an individual, the storage nor the facilitation of data is governed by the HIPAA Privacy Rule, as neither Emergency Contact Data nor the individual is a COVERED ENTITY governed by HIPAA.
HIPAA does not control or limit an individual’s right as to what an individual can or cannot do with information that is owned and controlled by the individual. If HIPAA could govern what the individual does with his / her own, medical knowledge about himself an individual could not wear a diabetic bracelet or carry a piece of paper in their wallet that displays their blood type. The Emergency Contact Data members are exercising their freedom of speech right under the First Amendment to the Constitution.
Is speech on the Internet entitled to as much protection as speech in more traditional media?
Yes, the U.S. Supreme Court ruled in Reno v. ACLU (1997) that speech on the Internet receives the highest level of First Amendment protection. The Supreme Court explained that “our cases provide no basis for qualifying the level of First Amendment scrutiny that should be applied to this medium.”