Vocalabs has several healthcare-related clients, so we are used to dealing with the privacy and security requirements of HIPAA. Some recent changes to the regulations will mean significant new requirements for what a company like us needs to do to remain HIPAA compliant after September 2013.
Since Vocalabs itself is not a healthcare company, we are not what's called a "covered entity" under the regulations. Rather, we are a "business associate," which is basically any company which a covered entity hires to perform some work which may require sharing protected health information.
Many non-healthcare companies hired by a covered entity would also be considered business associates--for example: accountants, IT services, lawyers, business process consultants, etc.
Under the old rules, a business associate had to sign a contract with the covered entity that basically promised to keep protected health information private and secure. Business associates had to maintain the same level of privacy and security as the covered entity, but did not have to go through the formal documentation and review process.
After September, though, business associates have to follow all the security rules as a covered entity (at least insofar as they can reasonably be applied) and produce the same formal documentation and policies. What's more, to the extent that a business associate subcontracts to a third party which may also receive protected health information, that subcontractor also has to comply with all the policy and documentation requirements.
These new requirements can potentially be a big problem for some survey companies. At Vocalabs, our existing policies and processes are already consistent with HIPAA requirements, so for us it will be mostly a matter of documenting and formalizing what we already do. But at companies which aren't as security-minded, the HIPAA changes could require large investments in infrastructure, training, and compliance.
So how does all this apply to Customer Feedback?
Keep in mind that the HIPAA rules only apply to "protected health information," which has a very specific legal definition. It's basically health- and care-related information created by a healthcare company (doctor, hospital, insurance company, etc.) which can be tied to a specific, identifiable patient. Customer feedback is not, by itself, protected health information.
But sometimes we need to have protected health information in order to gather useful feedback. For example, we need to know the patient's phone number to call him or her, and that phone number combined with the fact that there had been a hospital visit could arguably qualify as "protected health information." So to be on the safe side, we will treat it as PHI. For analysis purposes, we may also want to know the doctor's name, hospital, or other details which can really help understand how to improve the patient's experience but which clearly need to be protected.
So between now and September we will be updating our security and privacy policies, revising contracts, and doing everything we need to do to remain fully HIPAA compliant under the new rules. And anyone else collecting customer feedback around healthcare will need to do the same.