AI DR Screening that meets HIPAA Standards

How do HIPAA / HITECH rules affect data security within healthcare?

HIPAA rules affect healthcare data security by mandating safeguards to protect protected health information (PHI), ensuring its confidentiality, integrity, and availability. This includes requiring administrative, physical, and technical safeguards, limiting access to the minimum necessary, and establishing protocols for breach notification and penalties for non-compliance. By enforcing these standards, HIPAA helps prevent data breaches and unauthorized access, thereby protecting patient privacy and trust.

The rules extend to “business associates” who handle patient data on behalf of a covered entity, requiring them to also implement security measures.  A business associate is an organization, other than a member of a covered entity’s workforce, that provides certain services to a covered entity that involve the use or disclosure of individually identifiable health information. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

What is considered PHI?

PHI under HIPAA is individually identifiable health information that is collected or maintained by an organization that qualifies as a HIPAA covered entity or business associate. As well as health information, any non-health information maintained in the same designated record set that identifies – or could be used with other information to identify – the subject of the health information is also PHI under HIPAA.

The 18 HIPAA identifiers are the identifiers that must be removed from a designated record set before any remaining health information is considered to be de-identified under the “safe harbor” method of de-identification (see §164.514).

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
  • All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security Number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or license number
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URL
  • Internet Protocol (IP) Address
  • Biometric identifiers. Including finger or voice print
  • Photographic images, full face and any comparable images.
  • Any other characteristic that could uniquely identify the individual

Not all patient data is considered protected health information under HIPAA. First, it depends on whether an identifier is included in the same designated record set. Under HIPAA, PHI ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If identifiers are removed, the health information is referred to as de-identified PHI.

Are fundus photos considered PHI?

Retinal images are not considered PHI according to many industry experts. The American Academy of Ophthalmology makes a strong case as to why they don’t consider fundus photos PHI. Current Department of Health and Human Services (DHHS) Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with HIPAA Privacy Rule does not specifically include retinal images in the list of individual identifiers, but lists biometric identifiers, including finger and voice prints, and full-face photographs and any comparable images.

To be considered a biometric identifier, this linkage depends on satisfaction of all 3 of these conditions:

  1. The images are unique or distinguishing,
  2. A naming data source exists that definitely links the de-identified image to the corresponding patient, and
  3. A mechanism exists that relates the de-identified image and the identified data sources.

When using Aurora AEYE DR screening platform, customers share two types of data when performing a study – fundus images, and a study ID number in connection with the study. It is recommended that customers not provide actual patients IDs, but IDs generated just for AI analysis purposes such as order numbers.

The DHHS guidance stipulates that the ability to distinguish data is not sufficient to compromise patient privacy, and the lack of a readily available database also means that there is not a way to trace the photo to the patient. Therefore, it is comfortable to say that retinal images are not considered PHI, and the risk of re-identification with de-identified retinal images is low.

Is Aurora AEYE HIPAA compliant?

Continual audits to evaluate and assess compliance of systems, policies and procedures against the 18 Standards and 44 Implementation Specifications of the HIPAA/HITECH Security Rule and to ensure the risks relating to the Administrative, Physical, and Technical Standards for securing electronic protected health information (EPHI) are mitigated to reasonable and appropriate levels through current controls and procedural changes enforced by policy.

Administrative safeguards include security management processes, staff training, and risk assessments. Physical safeguards include the protection of facilities and hardware from unauthorized access such as locks, and server room security. Technical safeguards focus on technology like access controls, encryption, and audit controls.

Despite not handling PHI, Optomed follows its guidelines and operates as if it were covered by a business associate agreement (BAA) in order to protect our clients from liabilities and ensure their compliance.

Optomed takes cybersecurity and compliance with HIPAA, GDPR, HL7, and data privacy laws with the utmost seriousness. The company performs regular information security audits, third party penetration testing, and analysis of BAA partnerships, minimizing vulnerabilities in its information security systems.

In summary:

  1. We don’t get any PHI (based on the definition of PHI and the 18 identifiers listed as PHI), so HIPAA is not applicable to our service.
  2. If it is argued that HIPAA applies to our service, we still have the BAA in place, where we give our clients various safeguards and protections.

Our FDA cleared Artificial Intelligence diabetic retinopathy screening service is secure, end to end encrypted, and user access is managed by username and password controls. Your data is never used to train the closed-model system and is safely segregated from others. Aurora AEYE is a powerful tool that is accurate, safe, and works with you to improve outcomes. Improve your organization with Aurora AEYE today.

Share this insight

Mobile fundus camera
Try out our mobile fundus camera to quickly and accurately detect disease, save your team time, and improve care!

Sign up for our newsletter

The Future of AI in Healthcare
Veterinary Tele-ophthalmology: Advancing Eye Care Through Remote Imaging
Boosting HEDIS Scores: How AI-Powered Diabetic Retinopathy Screening Can Transform Your CDC Measure

Sign up for our newsletter