HIPAA

I was given a HIPAA compliance policy manual and asked to review it, propose revisions, and explain my reasoning. The manual belonged to NAIPTA, the Northern Arizona Intergovernmental Public Transportation Authority and was adopted in April 2017. While it demonstrates a solid foundational commitment to HIPAA compliance, it is now approaching nearly a decade old. It was last updated April 19, 2017. Almost eight years have passed, during which the HHS Office for Civil Rights has issued updated guidance, the 2013 Omnibus Rule has been in full effect, and proposed modifications to the HIPAA Privacy Rule were introduced in 2021. None of that was reflected in this manual. ...

A court case about a patient’s roommate ended up teaching me more about privacy than I expected. The case was Rogers v. NYU Hospitals Center. A hospital released the name of a patient’s roommate and someone questioned whether this violated HIPAA. The name came up during a legal proceeding and the patient argued it should have been protected. The court disagreed, noting that the name alone did not reveal any medical diagnosis or treatment. A wide range of rehabilitative services were offered at Rusk Institute of Rehabilitation Medicine, so knowing someone was there didn’t tell you anything about their condition. A name by itself wasn’t protected health information in this situation. ...