What's HIPAA?

There are a small number of privacy laws that fill the business world with great anxiety because of the tremendous burden it puts on people to be fully compliant and the dangers of non-compliance. One splendid example that you'll read about every week in the business press is Sarbanes-Oxley (which I've also written about here: What is Sarbanes-Oxley?)

Another of these regulations is HIPAA, aka the Health Insurance Portability and Accountability Act of 1996, which ostensibly focuses on health insurance, but is really much more about the critical importance of privacy for any online medical information. Personally, it's a really good law because there's little that I think should be more private and hard to dig up than personal medical information.

As you might expect, the U.S. Government has a ton of information about HIPAA online, including an entire site from the Department of Health and Human Services's Office for Civil Rights - HIPAA, where they explain that:

"A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. "

Now, does your online discussion weblog therefore mean that you too are subject to HIPAA regulations? I don't think so. According to their information on who must comply with HIPAA standards? you're not affected:

"As required by Congress in HIPAA, the Privacy Rule covers:

• Health plans
• Health care clearinghouses
• Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

"These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits."

I'm certainly not a lawyer and you shouldn't make legal decisions based on my interpretation of the HIPAA laws, but it does seem to me that you're clear in that regard.

However, you do have some potential privacy issues on your weblog nonetheless. It's not about HIPAA, it's about privacy overall, and I would strongly encourage you to create some sort of privacy policy that requires anyone who participates in your site to respect the need for patient confidentiality and agree not to violate that privacy or even reference patients with sufficient detail that a skilled investigator could track a comment back to a specific patient.

If there are a couple of nurses who are particularly explicit in their commentary you might also email them and let them know of your concerns in this regard.

But HIPAA? No, I think you're probably clear in that regard.

Good luck to you!