[IP] definitive comment on Are Google/MSFT bound by HIPAA?

[David Farber <dave@farber.net>]

________________________________________
From: Joseph M. Saul [jmsaul@ctconsultancy.com]
Sent: Saturday, February 23, 2008 10:11 AM
To: David Farber
Cc: ip
Subject: Re: [IP] Are Google/MSFT bound by HIPAA?

On Sat, 23 Feb 2008, David Farber wrote:

> Can anyone in IP shed light on whether 3rd parties who hold personal
> medical information (such as Google or Microsoft) are bound by HIPAA's
> privacy and disclosure guidelines?

I'm not in IP, I'm in health care compliance at a large academic health
system.  HIPAA is a large part of my job; I know it extremely well.
The HIPAA Privacy Rule regulates only certain types of organizations
involved in health care, which it terms "covered entities".  They include
health care providers, health care payors, and health transaction
clearinghouses.  There are additional restrictions, but they aren't
relevant here.

When those organizations have to provide protected health information to
a non-covered entity like a technology company (e.g. Siemens), they are
required to make the outside company sign a "Business Associate Agreement"
in which they pledge to protect the data to (essentially) the same
standards, tell the covered entity about security breaches, etc.  The
outside company is still not bound by the HIPAA Privacy Rule, but it has
had similar standards applied to it by contract.

The upshot is that Google and Microsoft, not being "covered entities,"
are absolutely *not* bound by HIPAA.  If they have signed a Business
Associate Agreement with a covered entity, they may be bound by that
agreement to apply similar standards to that entity's data in the context
of that engagement, but that's as close as it gets.

Feel free to contact me offlist if you want to discuss this in more
detail.

   -- Joe Saul, J.D.

-------------------------------------------