[ Thursday, July 21, 2016 ]
Breaking News: Entities not covered by HIPAA have privacy and security gaps
Jeff [10:40 AM]
. Well, duh.
HIPAA isn't intended to be some European-style data rights law that grants everyone specific rights in their own data and the right to demand that third parties, with which they may have no direct relationship and which otherwise owe them no specific duties, either limit their uses/disclosures of that data or provide minimum levels of security and protection to that data. Frankly, that's not how the data rights structure of American law works, and not how it should work. Have you seen what lawyers have done with the Illinois biometric privacy law so far? Imagine what they would do if every person entity who might legitimately come across personal information had a duty to protect it? Consider this: if you have a phone book in your house and it's not locked up, you aren't protecting the identifiable information in it; if there was a law applicable to you that required you to protect it, anyone whose name is in that phone book could sue you. That's crazy; and that's why you have no general obligation to protect that data, and only have an obligation if there's some specific contractual or other relationship, duty, or applicable law.
So it's understandable that, while HIPAA requires certain restrictions and levels of protection from covered entities (and, both directly and indirectly, from business associates), it doesn't require the same level from "non-covered entities."
Update: Here's another article
, and here's a copy
of the HHS report on NCEs.
Blogger: HIPAA Blog - Edit your Template