惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyberwarzone
Cyberwarzone
C
CXSECURITY Database RSS Feed - CXSecurity.com
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Security Archives - TechRepublic
Security Archives - TechRepublic
Google Online Security Blog
Google Online Security Blog
D
Docker
H
Hacker News: Front Page
Recent Announcements
Recent Announcements
GbyAI
GbyAI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Proofpoint News Feed
Security Latest
Security Latest
AI
AI
I
InfoQ
Google DeepMind News
Google DeepMind News
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Scott Helme
Scott Helme
N
News | PayPal Newsroom
Y
Y Combinator Blog
V
Visual Studio Blog
Latest news
Latest news
大猫的无限游戏
大猫的无限游戏
Microsoft Security Blog
Microsoft Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
V
Vulnerabilities – Threatpost
C
Cyber Attacks, Cyber Crime and Cyber Security
TaoSecurity Blog
TaoSecurity Blog
S
Security @ Cisco Blogs
D
DataBreaches.Net
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
N
Netflix TechBlog - Medium
T
Troy Hunt's Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
H
Heimdal Security Blog
美团技术团队
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security Affairs
T
Threat Research - Cisco Blogs
Webroot Blog
Webroot Blog
G
Google Developers Blog
aimingoo的专栏
aimingoo的专栏

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
What is PHI under HIPAA?
Carlo Cilent · 2023-07-19 · via Blog of Simple Analytics

The 1996 Health Insurance Portability and Accountability Act (HIPAA) is complicated. Its consolidated text is over one hundred pages long and covers many topics. Of course, privacy is one of them, but not the only one- there are rules on technical standards for health records, rights to data portability, and so on.

Because the text is so complicated, it can be hard to understand some of the basic rules laid out in the HIPAA. This includes the very definition of protected health information (PHI). We are here to help.

  1. What is PHI?
  2. How is PHI defined?
    1. The first requirement: health information
    2. The second requirement: relating to an identified individual
    3. The third requirement: collected by a HIPAA-covered entity
  3. Why does it matter?
    1. Does the HIPAA matter for web analytics?
  4. Final Thoughts

Michelin chose Simple AnalyticsJoin them

What is PHI?

Protected health information - typically called PHI- is exactly what it says on the tin: health information protected under HIPAA.

This might seem trivial, but it isn't. The HIPAA is a sector-focused law that regulates healthcare providers and intermediaries such as payment providers. It tells these entities what they can and cannot do with medical information but does not provide general protection for medical data, which means that other entities can process such information without being bound to the HIPAA.

In other words, HIPAA only applies to certain data and companies. This is reflected in the very complicated way PHI is legally defined.

How is PHI defined?

The definition of PHI combines three distinct and cumulative requirements:

  • it relates to the health conditions of an individual or the provision of health care (= it is health information)
  • it relates to an identifiable individual (= it is personally identifiable information- PII for short)
  • it is created by a healthcare provider or another entity covered by the HIPAA

The first requirement: health information

HIPAA only covers information related to an individual's health conditions or the provision of healthcare. For instance, this could be a diagnosis of a disease, a medical treatment that has been provided, or the fact that an appointment with a medical professional has been booked.

The second requirement: relating to an identified individual

All PHI is identifiable information. That is to say: it directly identifies an individual or can be reasonably used to identify them. This means it includes identifiers such as name, address, email, or unique identifiers (such as those often found in tracking cookies).

The third requirement: collected by a HIPAA-covered entity

Data only fall under HIPAA when collected by an entity that is itself covered by the law. As counterintuitive as it is, the exact same information can be PHI or not, depending on where they come from.

So who is covered by HIPAA?

  • healthcare providers such as hospitals, individual practitioners, and pharmacies
  • health insurance plans
  • health data clearinghouses- that is, intermediaries for health data. This can sometimes include payment providers as well

Why does it matter?

The HIPAA contains a set of rules collectively called the Privacy Rule. These rules provide privacy and security standards regarding PHI, including strict disclosure limitations.

The rules on disclosure limitation are quite complex, but to grossly simplify:

  • HIPAA-covered entities can always disclose PHI when this is needed to provide care, for the functioning of the healthcare system, or in other specific scenarios (for instance, because a law requires them to do so)
  • all other disclosures require written authorization from the subject.

For instance, a hospital can forward treatment information to your insurance plan for billing purposes or send it to your new hospital so that medical professionals can better evaluate further treatment. On the other hand, they cannot sell your data to data brokers or disclose it to a third party for marketing purposes unless you authorize them to do so.

Understanding what data are and are not PHI is crucial. If you are covered by HIPAA, this does not mean that all the data you control is PHI! So the first step to complying with HIPAA is understanding exactly to which data the PHI does and does not apply.

For instance, hospitals need to process personally identifiable information about their employees to pay wages- but the HIPAA does not cover these data because they are not related to health care.

Not all cases are clear-cut, but the same rules apply all the time: information is only PHI if it is personally identifiable, relates to health or health care, and was collected by an entity covered by the HIPAA.

Does the HIPAA matter for web analytics?

Yes, it does. Web analytics services that rely on cookies and other tracking mechanisms can result in the unintended disclosure of PHI, for which a HIPAA-covered entity can be held liable. The HHS also clearly states that cookie banners do not count as a valid authorization under HIPAA.

This does not mean that you cannot implement tracking-based analytics tools in a HIPAA-compliant way. You can still do it if you carefully evaluate the content of your web pages and turn off any form of tracking wherever it could result in an unauthorized disclosure of PHI.

But this is burdensome, requires some degree of legal expertise, and may result in numerous pages of your website being excluded from your analytics entirely.

Final Thoughts

It’s important to understand whether or not you are covered by HIPAA and dealing with PHI. If you are, you must take the right steps to comply, which also affects business practices like website tracking.

Why do we care? We built Simple Analytics just for this reason. It's a privacy-friendly Google Analytics alternative that exclusively relies on non-personal data to provide you with all the insights you need about the performance of your websites and marketing campaigns.

We believe in a privacy-friendly Internet and do not use cookies, fingerprinting, or other tracking technology to spy on your visitors.

If you also believe in a privacy-friendly Internet, or if you are simply tired of dealing with the HIPAA and its compliance headaches, then feel free to give us a try!