[ Wednesday, April 27, 2016 ]
Jeff [3:15 PM]
Sorry, @HHSOCR, this FAQ
is a thousand times wrong. NOTHING in HIPAA prevents a covered entity from allowing a media company from accessing PHI, as long as the use or disclosure in connection with that access is permitted by HIPAA. And nothing at all prohibits a covered entity (or a media company working on its behalf) from disclosing truly de-identified PHI (which, by definition, IS NOT PHI!!).
You can argue about whether it's truly de-identified; that's a fair argument. But there is no such blanket prohibition in HIPAA to support the statements in the FAQ.
Of course, you could draft a regulation to just that. But that requires actually following the law and the Administrative Procedures Act, publishing a proposed regulation, soliciting, receiving, and considering public comment, and publishing a final regulation. Sure, it's more work than firing off an FAQ. But it's the law. It's the way law is made.
Executive fiat is anathema to the American concept of government. Stop it.
Blogger: HIPAA Blog - Edit your Template