De-identified Data in Healthcare
The issue with de-identified data in healthcare lies in the fact that some Electronic Health Record (EHR) companies have crafted Business Associate Agreements (BAAs) that could potentially harm healthcare providers and their patients. While it is not entirely clear whether these companies are strictly adhering to the letter of the law, they certainly do not uphold the spirit of it. The original intention of a BAA, as outlined in the HITECH Act and further refined by the Omnibus Rule, is to serve as the company's commitment to understanding HIPAA privacy and security requirements. In cases where breaches are caused by the software, the company should take responsibility. However, when data is de-identified, companies gain significant latitude in its use. They are not obliged to seek permission or inform subscribers about how or when their patients' data is utilized, nor are they held accountable for software failures that result in data breaches.