HIPAA Series #10: HIPAA and Data Sharing

HIPAA and Data Sharing

The emergence of technological advancements increases the free flow of data across systems and applications, making security and privacy key considerations in any transaction. These aspects are more profound in healthcare where sensitive information about a patient is shared with the relevant entities. When this information falls into the wrong hands, it could lead to misuse and other problems like discrimination due to health conditions.

To avoid such consequences, the Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996, with security and privacy being its key pillars. Its Privacy Rule determines how sensitive patient data, known as Protected Health Information (PHI), is used and disclosed by the covered entities and their business associates. The Security Rule, on the other hand, sets the standards for the safe transfer of electronic PHI (ePHI). Together, these two rules act as safeguards for your patient data.

In this article, let’s discuss how these rules come into play in data sharing.

Data Sharing under HIPAA

Under HIPAA, covered entities are responsible for preserving privacy and security during data sharing. Covered entities include healthcare providers including doctors and physicians, healthcare plans, and HMO managing healthcare plans. These entities can share PHI with relevant entities if it relates to the treatment, payment, and operations. No explicit patient consent is required in the above cases to ensure the timely delivery of healthcare for patients. In all other cases, explicit patient consent is necessary.


Moving on to security, every covered entity must make all possible efforts to protect PHI during data sharing and while the data is at rest. This security implementation can be broadly divided into three controls – physical, administrative, and technical. Let’s take a brief look at each.

Physical Controls

The physical controls include controlled access mechanisms to secure the data centers where your PHI is stored. It can also include locks to storage rooms where physical PHI records are stored.

Administrative Controls

These controls encompass the policies and procedures implemented in your organization to ensure HIPAA compliance. It also includes training and other awareness programs you conduct to train employees to identify cyberattacks and protect PHI from unauthorized access and use.

Technical Controls

Technical controls include access controls and authentication mechanisms that ensure only authorized personnel can access ePHI. Moreover, it also comprises encryption and other mechanisms to protect data during transit and at rest.

The above controls apply not only to the covered entities but also to the companies that handle one or more aspects of their operations.

Business Associate Agreements (BAA)

A business associate is a company having a Business Associate Agreement (BAA) with a covered entity to handle, store, and transmit PHI on behalf of the covered entity.  The BAA must lay down clear guidelines on what the business associate can do with the PHI, including how it must be handled. Any violations of the terms of the agreement can have legal consequences for both parties.

Due to such a stringent approach, any organization that works for the covered entity will also take the necessary steps to protect PHI while sharing. Note that the business associates cannot use PHI for those reasons not specified in the BAA. More importantly, they can never transmit it to third parties.

Challenges and Risks

Despite the above measures, safeguarding security and privacy during data sharing is difficult because of the huge increase in device usage, especially mobile phones. Similarly, the emergence of telemedicine and virtual care requires additional efforts to safeguard PHI. Though covered entities are doing what is possible, more efforts can help to safeguard PHI security and privacy.

Tips to Balance Data Sharing with Privacy

Below are some tips for balancing data sharing with privacy:

  1. Perform regular audits.
  2. Share data only when needed. In other cases, use anonymized and pseudonymized data.
  3. Where possible, get explicit patient consent before sharing.
  4. Implement comprehensive physical, administrative, and technical controls.
  5. Stay on top of regulations.
  6. Use advanced cybersecurity solutions to protect against potential threats.
  7. Promote an organizational culture that values privacy and security.
  8. Take help from cybersecurity experts to develop and implement cohesive security strategies geared for your organization.
  9. Offer continuous training to employees.

The above tips help balance data sharing with privacy and security.

Final Words

Patient data, also called Protected Health Information (PHI), contains sensitive information, and could negatively impact patients when the data falls into the wrong hands. This is why HIPAA’s privacy and security rules protect this data when it is handled, stored, and shared. In this article, we look at HIPAA’s provisions concerning data sharing, and we hope the tips mentioned in this piece help you share data securely.

Lavanya Rathnam

Lavanya Rathnam is an experienced technology, finance, and compliance writer. She combines her keen understanding of regulatory frameworks and industry best practices with exemplary writing skills to communicate complex concepts of Governance, Risk, and Compliance (GRC) in clear and accessible language. Lavanya specializes in creating informative and engaging content that educates and empowers readers to make informed decisions. She also works with different companies in the Web 3.0, blockchain, fintech, and EV industries to assess their products’ compliance with evolving regulations and standards.

Posted in Articles

Leave a Reply

Your email address will not be published. Required fields are marked *