zlacker

[parent] [thread] 3 comments
1. halduj+(OP)[view] [source] 2023-08-07 00:24:28
I don’t think the question is about Zoom’s safeguards which are audited, and as you say almost certainly stronger than HIPAA requirements, but rather whether they can use the stored PHI for product development where the law appears ambiguous.
replies(1): >>johndh+O9
2. johndh+O9[view] [source] 2023-08-07 01:53:37
>>halduj+(OP)
Imo the law basically says you can do this with PHI:

-De-identify it then do whatever you want with it -use it to provide some service for the covered entity, but not for anyone else -enter a special research contract if you want to use it slightly de-identified for some other specific purpose

replies(1): >>halduj+Fe
◧◩
3. halduj+Fe[view] [source] [discussion] 2023-08-07 02:36:25
>>johndh+O9
One note is that the act of deidentification itself requires accessing PHI when done retroactively, this may be institutional policy or specific to covered entities but per the privacy office lawyers such access (apart from a small dataset) requires a permitted use to be accessible in order to then deidentify and use freely.

As with all things HIPAA, this only becomes a problem when HHS starts looking and I’m sure in practice many people ignore this tidbit (if in fact this is the law and not Stanford policy).

replies(1): >>johndh+m32
◧◩◪
4. johndh+m32[view] [source] [discussion] 2023-08-07 16:10:54
>>halduj+Fe
This is correct -- the covered entity can de-identify data, or ask the BA to de-identify data. If the BAA says the BA can, then they can.
[go to top]