As an assisted fertility consulting agency, you deal with people’s sensitive data all day long: medical information, personally identifiable information, addresses, phone numbers, government issued identification, the whole kitchen sink. Should you worry about the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? The short answer is yes, you should.
Not Legal Advice*
First things first. I am not a lawyer and I am certainly not qualified to give legal advice. Let me just state that clearly: This article is not legal advice. If you want to be absolutely, positively, completely sure about your agency’s legal position, get legal counsel from a lawyer knowledgeable in HIPAA compliance. An * reminds you that you should follow up with your lawyer.
Also, this article speaks specifically to agencies located in the US.
Is My Agency Required to Comply with HIPAA?
If your agency is also a medical clinic or has doctors on staff, then you already know the answer to the question: yes, as a Covered Entity, you are required to comply with HIPAA. Full stop. If your agency only communicates with medical clinics via egg donors, surrogate mothers, or intended parents, then continue reading.
“But wait, Keith – I work with covered agencies (doctor or clinic), and they said my agency is a Business Associate and that I need to sign a Business Associates Agreement (BAA)!” Yes, you work with covered agencies. No, you are not their Business Associate*.
Your agency’s relationship is with your clients (intended parents, egg donors, and surrogate mothers), not directly with or “on behalf of [the] covered entity.” It is your clients who are authorizing your agency to receive their medical information from the covered agency. Your agency’s service is on behalf of your clients, not the covered entity.
Great! At the time of publication of this article, November 2016, assisted fertility consulting agencies are not required to comply with HIPAA*. But that doesn’t mean you shouldn’t worry about HIPAA.
Why Should I Worry About HIPAA?
My original answer to the question was, “[the] short answer is yes, you should”. Allow me to modify it slightly.
No, you shouldn’t worry about HIPAA because you aren’t compelled to abide by it, but yes, you should definitely respect its underlying tenants and guidelines and treat your business as if it is affected by HIPAA.
Just take a step back and think about it; you are dealing with people’s personal and confidential information. Every. Single. Day. Under the hood, HIPAA is all about creating best practices and security implementations to protect people’s data. You should try to protect your data (and your client’s data) at least as well as medical organizations do – your donors, surrogates, and intended parents deserve it. And let’s be frank, when you get sued — we know it’s not if, but when — following compliance will help to ensure that privacy violations aren’t listed on the docket.
“No one else thinks that, Keith. You’re just paranoid.” Maybe. But have you read the article “Buying and selling human eggs: infertility providers’ ethical and other concerns regarding egg donor agencies” by Robert Klitzmann? Klitzmann is a professor of Clinical Psychiatry and a bioethicist, not some random tech guy on the internet like me 🙂 Klitzmann’s article is highly critical of egg donor agency ethics and makes many statements about the lack of oversight, “agencies exist as third-party companies outside of professional medicine and are not regulated by state or the federal government  or subject to professional codes of conduct.”
The article speaks specifically to egg donor agencies, but in the context of applicability, it applies to any assisted fertility consulting agency.
Given the potential limitations of the current model of self-regulation of agencies, the present data suggest needs to consider stronger professional guidelines or possible governmental regulations to establish, require and enforce higher standards for agencies to follow, regarding advertising to potential donors and recipients, arranging for appropriate informed consent concerning risks and benefits involved, and for quality control.
Klitzmann continues with the following statement:
U.S. laws bar health care providers and institutions, but not egg donor agencies, from sharing personal information about potential donors with others – including clinicians, prospective parents and the public-at-large.
With questions of ethics and the potential of lawsuits, really, it’s in your agency’s best interest to guard patient data to the highest legal standards.
Other Privacy Laws
Do you have international clients in the EU, the EU’s General Data Protection Regulation (GDPR) certainly applies to you today and is in many ways much more stringent than HIPAA. In 2020, California’s California Consumer Privacy Act (CCPA) will affect your California donors, surrogate mothers, and intended parents. As of May 2019, 14 states, including Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico all have consumer privacy laws that are in the works.
HIPAA may not apply to you today, but another similar or stricter regulation may apply to you in the future. Handle your data with the most strict guidelines you can today – it will make it easier to stay in compliance in the future.
This post is a bunch of alphabet soup. If you want to do some more reading (or maybe make your personal technical guru’s), here’s some links that should get you started.
- HIPAA: The Health Insurance Portability and Accountability Act of 1996. Check out the HHS.gov website at https://www.hhs.gov/hipaa/for-professionals/index.html.
- GDPR: The EU’s General Data Protection Regulation. The actual text of the GDPR will make your head explode, so maybe try this article: https://www.connected-uk.com/a-quick-guide-to-gdpr-for-busy-digital-professionals/.
- CCPA: The California Consumer Privacy Act of 2018. A bit of a long read, but very thorough: https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018/