Sample HIPAA compliance Memoranda

Memoranda Title: Healthcare industry: Data privacy requirements per the Health Insurance Portability Accountability Act (HIPAA)

Date: March 1, 2017

Introduction and Problem Definition

Health care data can be used for providing preventative and emergent health care to health care consumers.  The use of this data in aggregate can provide huge datasets, which will allow big data analytics find hidden patterns that could be used to improve healthcare.  However, the Health Insurance Portability Accountability Act (HIPAA) is a health care consumer data protection act, which must be followed.  This Act protects health care consumers’ data from being improperly disclosed or used; and any data exchanged between health care providers, health plans, and healthcare clearinghouse should be necessarily minimized for both parties to accomplish their tasks (Health and Human Services [HHS], n.d.a.; HHS, n.d.b.).  Though the use of big health care data is promising, we must follow our Hippocratic Oath, and HIPAA is the way of keeping our oath while providing new services to our consumers.


All health care data either physical or mental from a person’s past, present and future is protected under HIPAA (HHS, n.d.a). According to the HHS (n.d.b.), groups with health care consumers’ data should always place limits on those who have read, write, and edit access to the data.  Identifiable data can include name, address, birth date, social security number, other demographic data, mental and physical health data or condition, and health care payments (HHS, n.d.a). Any disclosure of health data must be obtained from the individual is via a consent form that states specifically who will get what data and for what purposes (HHS, n.d.a; HHS, n.d.b.).

Consequences of data breaches

A violation is obtaining or disclosing individually identifiable health information (Indest, 2014). Those that are subject to follow the HIPAA regulations are health plans, healthcare providers, and health care clearinghouses (HHS, n.d.a.; HHS, n.d.b.). Any violations by any of the abovementioned parties that have been detected must be corrected within 30 days of discovery to avoid any of the civil or criminal penalties (up to one year of imprisonment) from an HIPAA Violations (Indest, 2014).

Table 1: List of tiered civil penalties for HIPAA Violations (HHS, n.d.a.; Indest, 2014).

HIPAA Violation Minimum Penalty Maximum Penalty
Unknowingly causing a violation $100 per violation until $25K is reached per year $50K per violation until $1.5M is reached per year
Reasonable violation not done by willful neglect $1K per violation until $100K is reached per year $50K per violation until $1.5M is reached per year
Willful neglect with a corrective action plan but requiring time to enact $10K per violation until $250K is reached per year $50K per violation until $1.5M is reached per year
Willful neglect with no corrective action plan $50K per violation until $1.5M is reached per year $50K per violation until $1.5M is reached per year


Big Data Analytics: Privacy & HIPAA

Since its inception 25 years ago, the human genome project has been sequenced many 3B base pair of the human genomes (Green, Watson, & Collins, 2015).  This project has given rise of a new program, the Ethical, Legal and Social Implication (ELSI) project.  ELSI got 5% of the National Institute of Health Budget, to study ethical implications of this data, opening up a new field of study (Green et al., 2015 & O’Driscoll, Daugelaite, & Sleator, 2013).  Data sharing must occur, to leverage the benefits of the genome projects and others like it.  Poldrak and Gorgolewski (2014) stated that the goals of sharing data help out with the advancement of the field in a few ways: maximizing the contribution of research subjects, enabling responses to new questions, enabling the generation of new questions, enhance research results reproducibility (especially when the data and software used are combined), test bed for new big data analysis methods, improving research practices (development of a standard of ethics), reducing the cost of doing the science (what is feasible for one scientist to do), and protecting valuable scientific resources (via indirectly creating a redundant backup for disaster recovery).  Allowing for data sharing of genomic data can present ethical challenges, yet allow for multiple countries and disciplines to come together and analyze data sets to come up with new insights (Green et al., 2015).

Richards and King (2014), state that concerning privacy, we must think of it regarding the flow of personal information.  Privacy cannot be thought of as a binary, as data is private and public, but within a spectrum.  Richards and Kings (2014) argue that the data as exchanged between two people has a certain level of expectation of privacy and that data can remain confidential, but there is never a case were data is in absolute private or public.  Not everyone in the world would know or care about every single data point, nor will any data point be kept permanently secret if it is uttered out loud from the source.  Thus, Richards and Kings (2014) stated that transparency can help prevent abuse of the data flow.  That is why McEwen, Boyer, and Sun (2013) discussed that there could exist options for open-consent (your data can be used for any other future research project), broad-consent (describe various ways the data could be used, but it is not universal), or an opt-out-consent (where participants can say what their data shouldn’t be used for).

Attempts are being made through the enactment of Genetic Information Nondiscrimination Act (GINA) to protect identifying data for fears that it can be used to discriminate against a person with a certain type of genomic indicator (McEwen et al., 2013).  Internal Review Boards and Common Rules, with the Office of Human Research Protection (OHRP), have guidance on information flow that is de-identified.  De-identified information can be shared and is valid under current Health Insurance Portability and Accounting Act of 1996 (HIPAA) rules (McEwen et al, 2013).  However, fear of loss of data flow control comes from increase advances in technological decryption and de-anonymisation techniques (O’Driscoll et al., 2013 and McEwen et al., 2013).

Data must be seen and recognized as a person’s identity, which can be defined as the “ability of individuals to define who they are” (Richards & Kings, 2014). Thus, the assertion made in O’Driscoll et al. (2013) about how the ability to protect medical data, with respects to bid data and changing concept, definitional and legal landscape of privacy is valid.  Thanks to HIPAA, cloud computing, is currently on a watch list. Cloud computing can provide a lot of opportunity for cost savings. However, Amazon cloud computing is not HIPAA compliant, hybrid clouds could become HIPAA, and commercial cloud options like GenomeQuest and DNANexus are HIPAA compliant (O’Driscoll et al., 2013).

However, ethical issues extend beyond privacy and compliance.  McEwen et al. (2013) warn that data has been collected for 25 years, and what if data from 20 years ago provides data that a participant can suffer an adverse health condition that could be preventable.  What is the duty of the researchers today to that participant?  How far back in years should that go through?

Other ethical issues to consider: When it comes to data sharing, how should the researchers who collected the data, but didn’t analyze it should be positively incentivized?  One way is to make them co-author of any publication revolving their data, but then that makes it incompatible with standards of authorships (Poldrack & Gorgolewski, 2013).



  • Green, E. D., Watson, J. D., & Collins, F. S. (2015). Twenty-five years of big biology. Nature, 526.
  • McEwen, J. E., Boyer, J. T., & Sun, K. Y. (2013). Evolving approaches to the ethical management of genomic data. Trends in Genetics, 29(6), 375-382.
  • Poldrack, R. A., & Gorgolewski, K. J. (2014). Making big data open: data sharing in neuroimaging. Nature Neuroscience, 17(11), 1510-1517
  • O’Driscoll, A., Daugelaite, J., & Sleator, R. D. (2013). ‘Big data,’ Hadoop and cloud computing in genomics. Journal of biomedical informatics, 46(5), 774-781.
  • Richards, N. M., & King, J. H. (2014). Big data ethics. Wake Forest L. Rev., 49, 393.