1

Hello,
I’m not sure if I need to be HIPAA compliant in the following situation:

There is a clinic in the USA (a covered entity), and I will be providing them with pseudonymized data—meaning the data I share does not contain identifiable patient information, and only the clinic can match the pseudonyms to actual individuals using their internal system.

I will not have access to any Protected Health Information (PHI) myself—only pseudonymized data. In this case, do I still need to sign a Business Associate Agreement (BAA) and comply with all HIPAA requirements?

4 Spice ups
2

Short answer should be no, nor will you need to sign a BAA.

However, the longer answer is, confirm with the company and their security team they are happy with this too.

So long as you do not have the client data and the data you do have doesn’t directly get you this data (but it does the client), then this should be ok.

I am no HIPAA/PHI expert though.

3 Spice ups
4

You shouldn’t have to, but to cover yourself and them I would say sign one just incase.

2 Spice ups
5

There is a standard specifically for this case, and HHA also had a workshop about it and published it here.

https://www.hhs.gov/hipaa/for-professionals/special-topics/de-identification/index.html

3 Spice ups
6

I work in the healthcare vertical. If there is any way to match/decode the pseudonymized data to the live data, it is an HIPAA violation. Only aggregate(ed) data is acceptable. BAA, NDA, ISAs notwithstanding.

7

Thank you for your response.

If I understood correctly, even under a BAA, we are not permitted to decode or match pseudonymized data to live data. To clarify, our system does not have the capability to decode or perform any matching. Only the clinic in the U.S.—as the HIPAA-covered entity—can perform such matching, and only within their compliance framework.

Please let me know if this understanding aligns with your interpretation.

8

Description of a BAA from a covered entity’s point of view.

*A business associate agreement establishes a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI. *

This type of agreement is necessary if business associates can potentially access PHI during their work. It’s also required if the business associates’ subcontractors have potential access to PHI.

The BAA is a contract between the Covered-Entity and an Outside Entity. This contract states that the Outside Entity might come in contact with PII/PHI in the course of their contracted job. It does not mean the Outside Entity has the permission to access or expose said PHI.