16 Sep 2021


Data analytics hold promise for improving healthcare, but the interests of data protection officers must also be taken into account. Added to this tension are uncertainties about how HIPAAA can limit or allow the use of protected health information in data analytics, where large providers that can offer such services have access to that information through their relationships with relevant companies. Additional OCR guidelines in particular in this area would be a welcome development. In the meantime, data analytics companies should carefully consider how they structure their activities from a HIPC perspective and relevant companies should also carefully consider the extent to which they allow their trading partners to use protected health information for these purposes. As regards what it means to have `routine access` to [PHI] in order to determine which types of data transmission services are counterparties to simple channels, such a provision will be specific to the facts, depending on the type of services provided and the extent to which the undertaking needs access to [PHI] in order to provide the service to the undertaking concerned. The exception conducted is narrow and is intended to exclude only companies that offer pure courier services, such as the U.S. Postal Service or the United Parcel Service and its electronic equivalents, such as Internet Service Providers (ISPs) that provide data transmission services. As mentioned in the previous instructions, a conduit carries information, but does not access it, except by chance or rarely, if this is necessary for the provision of the transport service or as required by other laws. For example, a telecommunications company may have occasional and random access to [PHI] when it verifies that data transmitted over its network arrives at its intended destination. Such occasional and random access to [PHI] would not qualify the undertaking as a business partner.

In contrast, an entity that needs access to [PHI] to run a covered entity service, for example. B a health information organisation that manages the exchange of [PHI] through a network on behalf of the entities collected through the use of data lessor services for its subscribers (and other services) is not considered a channel and is therefore not excluded from the definition of counterparty.

Comments are closed.