RON: Yeah, thanks, Chris. That makes a lot of sense. I'm glad you read that, because this is the whole thing, right? It's past HIPAA covered information, too, because a lot of times people have this misconception where of, “I'm only taking their name, address. I don't have a lot of other information.” Now, if you're not trying— most people could go Google my name and they could find me or Chris up on YouTube, and find us on LinkedIn and Facebook and things like that, right? So our name is not considered [protected] information.
But if our name is tied to anything about a physical or mental condition about us, then that name could be used to identify the person they're talking to. So if we're talking about, if somebody goes, “Patient X has this condition, they're living at this address,” well then that address could be used. Even though the address as a standalone is not PHI information, it falls under the umbrella now of protected information because that address could be used to identify the individual they're talking about that medical case or that health condition. And this is where everybody falls down: the name, the address, the birth date, and Social Security number.
One of the things Chris mentioned, he just barely mentioned de-identification data. But one of the things that you can do is think about clinical trials when you go to—we've got a number of different HIPAA compliant websites that we've built for people that have got FDA approval for medical devices, and then they've done clinical trials. And those clinical trials are published for everybody in the world to go see.
But why can they do that when they see that 100 patients who had cancer and they were treated with this drug and 84 responded and the ones with the placebo, only 13 responded. Why can they do that? Well, the reason is because they've de-identified [anonymized] the information. They've either called them patient 1 through 100, or they haven't individually numbered them, and they've generically aggregated the information and said, “Out of 100 people within the study, 50 received the placebo, 50 received the drug. Of the 50 that received the drug, 47 were cured of the ones that fit the placebo, only 13 were cured.”
So now there is a measurable, you know, 3X capability to be healed using this drug. And that information is the helpful information that the people are mostly interested in. They don't really care who the people were that attended the clinical trials. So they took that information about the trial, which was about a hundred individual people that had this particular health condition, and they scrubbed the ID information from that, not the medical information, but the ePHI data. And that's what we call de-identification.
So, Chris, any last thing on the privacy rule before we move on to the next rule?
CHRIS: Yeah, I would say, in general, you're going to want to go through the actual nuances of what you're supposed to do with the Privacy Rule. Again, we have a detailed video that goes over that. Ron, you did a great job of hitting on several of the core concepts from a high level. The biggest thing that we want to say is it is not that hard to go through this summary of the rule and it really will help you to rest.
We literally have a video linked where we highlighted everything and went through to walk you through step by step. So if you're interested in doing that with us, come along and join us and we'll walk you through it hand in hand, if you will. And with that said, Ron, yeah, I would love to move on next to the HIPAA Security Rule.