HIPAA related question below:I'm starting a non-profit focused on providing wishes to kids with cancer. Their profiles will be online and it will include their first name, diagnosis, and what hospital they are being treated at. Do I have to be HIPAA compliant if I'm taking in just that information? What HIPAA issues do I have to be worried about if I'm working with hospitals to take in that information?
Optional Information: Country relating to Question: United States State (if USA): New Jersey
Good evening! I can help you out with your legal question tonight. Yes, you cannot disclose what their diagnosis is without first obtaining a HIPAA consent form executed by each.
Not only can you and your non-profit get penalized for violating HIPAA, but also the hospital that you are working with to get that information.
Here is a sample form you can base your release on:
http://www.state.nj.us/treasury/pensions/epbam/exhibits/pdf/mi0827.pdf
Good evening to you as well. I'm not entirely clear - the patient's parents will be filling out the form online so the information would be coming directly from the them (and not the hospital). Do I still have to be compliant then? Do I have to have an electronic consent form for them to agree to post the information (first name + diagnosis) on the internet so donors can review and donate accordingly?
Yes, you still need to be compliant. So if they are filling out the information online, you can build in a waiver to the online form.
Yes, you should do an electronic consent form so that you protect yourself.
Thank you.
You are very welcome and good luck with your project. Have a good night and please accept so that I can continue to help others.
Did you have any other questions?
Thanks but I'm not sure how gathering the first name and the diagnosis is considered identifiable information? I don't think I'd be considered a "covered entity" either, correct?
The only "entity" that you could fit into, is the "healthcare clearinghouse." While you have an argument that you don't fall into it, a Plaintiff has an argument that you do. Especially if they show you have any communication with a hospital as you stated in your question.
I agree with you though, you probably won't be considered a covered entity, but lawyers expect the worst (that you will be sued for HIPAA violations) and hope for the best.
The diagnosis is the private information, not so much the name, although there have been cases where the names of the patients are also protected.
The diagnosis is indeed private but you can't identify the person with just the first name, correct?
The law just says names are XXXXXXXXX, XX it could mean either first or second.
Again though, these are all arguments, but the clearer and more precautions you take now, the less likely litigation will be in the future.
It's still not clear if I'm legally required or if having HIPAA "like" compliance is advised - such a distinction will make a big difference for my non-profit. HIPAA mentions that it has to be identifiable information or a basket of information that leads the patient to be identifiable.
Yes, identifiable information can be a first name. A good example of this is if a co-worker tells his/her boss that he/she is going to the hospital for a child's treatment. The co-worker could then go to your site and hospital and see what the diagnosis is or whatever information you put on the site. While only a first name is XXXX, XXXX would have a great argument that you violated their privacy and the judge would likely rule against you.
If you get information from hospitals they could try and lump you into being a covered entity, but I personally don't think you are a covered entity at all.
But the whole job for an attorney is to tell you the risks. I'm saying that while I don't think HIPAA controls you, an argument could be made that it does if you get information from hospitals and/or use patients' names.
Thank you. I don't see an "accept" button - I'm satisfied with the answer so let me know what I need to do.
Experience: Over 12 years of business and legal experience.