HIPAA, PHI and Anonymized data

What is PHI: Definitions

Let me start by explaining what Protected Health Information (PHI) under HIPAA really means. It's any piece of information in a medical record or related to health that can identify an individual. This information could be anything from a name and address to a birth date or Social Security Number, created, used, or disclosed while providing health care services, like diagnosis or treatment. We don’t collect any of the data mentioned in the act and we don’t provide diagnosis or treatment using our screening tools. We have doctors in the system which woks outside the HeHealth app which don’t have access to any HeHealth information.  

What is Anonymization:

I'll talk about the anonymization process. It's about removing or altering personal information to ensure that a data subject cannot be readily identified. The HIPAA Privacy Rule is clear on this; data that has been de-identified is not considered PHI because it doesn't identify an individual or give a reasonable basis to identify them. Our system was engineered in a way, by choice. We don’t collect the PHI so it’s been anonymized from ground up.

Referencing HIPAA De-identification Standards:

HIPAA provides two main methods for the de-identification of PHI: the Expert Determination Method and the Safe Harbor Method. The Expert Determination Method requires a formal determination by a qualified expert that there's a very small risk of re-identification. The Safe Harbor Method involves removing specific identifiers and ensuring that the information left cannot be used, alone or with other information, to identify an individual. We follow the second method but to start with we don’t collect any Personalized information.

Stressing the Importance of Anonymization:

I must emphasize as a scientist, the critical role anonymized data plays in research, public health, and policy-making, all without compromising individual privacy. Once data is effectively anonymized and cannot be re-identified to an individual, it moves beyond the reach of HIPAA regulations.

Answering the arguments raised:

First and foremost, most of the arguments raised based on the fact that we collect PHIs but we don’t, so they are not applicable to us.

I understand the concerns about the potential for anonymized data to be re-identified. We got some good suggestions from our industry experts to strengthen this and we are working on it further. It's also worth noting the continuous improvements we make from the good baseline work we have done so far.

Legal and Ethical Safeguards:

Lastly, I want to mention the legal and ethical measures our app takes to ensure that our data remains anonymous and untraceable back to any individual. Whatever the data we collect to help screen for any visual symptoms for STIs does not constitute PHI under HIPAA. I have discussed this in large scientific conferences, and I have presented some of them in most prestigious scientific meetings.  Pls refer to my LinkedIn posts if anyone is interested