Business Intelligence and Big Data – What are the HIPAA Privacy and Security Impacts?

Posted by Gerry Blass

Journal of Healthcare Information Management – (JHIM) – Spring 2015

Used by permission from HIMSS.

Download the JHIM PDF version of this article

The terms business intelligence and big data are the new buzz words for using tools and techniques to sort and re-sort data for a secondary or other use within a business.

Business intelligence is defined as  a set of techniques and tools for the transformation of raw data into meaningful and useful information. The introduction of the term big data in healthcare refers to a frequently changing large volume of data that, due to improvements in technology, has become more connected than ever before.. With the advent of health information exchanges (HIEs) , ACOs , Meaningful Use (MU) regulations, and more extensive use of data aggregators (e.g. registries), healthcare data is now used to help in the provision of medical care as well as predicting when and where an event might take place.

Since we are talking about healthcare information we must talk about protected health information (PHI) and the HIPAA-HITECH-OMNIBUS Privacy, Security, and Breach Notification Rules. Business intelligence and big data analysis,  including PHI and its use and disclosure, must be reviewed against the HIPAA Security, Privacy and Breach Notification Rule requirements.

If the business intelligence and big data analysis includes using PHI for TPO (treatment, payment, and healthcare operations) then current policies, procedures, plans and processes are most likely sufficient, but should be updated accordingly. For example, if your organization is using its data to determine if a type of drug is being used effectively and efficiently then the HIPAA definitions for treatment and health care operations will likely cover the use and disclosure of PHI for these purposes, again with appropriate policy updates to include the aspects of business intelligence and big data.

The same is true for business intelligence and big data uses and disclosures  for research purposes. Current policies, procedures, plans and processes are most likely sufficient, whether the HIPAA privacy requirements of the Common Core are used individually or together.

It is when your organization uses and/or discloses the PHI for other purposes than TPO and research that other HIPAA-HITECH-OMNIBUS Privacy and Security standards and implementation specifications need to be reviewed. We suggest the following areas be considered:

  • De-identification (45 CFR 164. 514)
  • Limited Data Set (45 CFR 164. 514)
  • Public Health (45 CFR 164.512)
  • Deceased Individuals (45 CFR 164.502)
  • Marketing (45 CFR 164.501)
  • Business Associate Agreements (45 CFR 164.308(b), 45 CFR 164.504(e))
  • All HIPAA Security Rule standards

In any analysis it is important to remember to begin with definitions in the HIPAA requirements because the HIPAA definitions are a basic part of the requirement scope.

In previous JHIM columns, the authors discussed the need to conduct  periodic ePHI vulnerability assessments and determine controls, gaps, risk and risk mitigation. The assessment applies to locations where ePHI is in transit and at rest. Potential locations to analyze include servers, workstations, portable devices, email, WIFI, cloud hosting, and more. We can provide a full list upon request. The ePHI assessment should also include a detailed risk analysis drill down for business intelligence and big data controls, gaps, risk and risk mitigation. It is simply a numbers game and the numbers of risk areas keep growing, which result in larger risks for breach when proper controls are not implemented.

Also note that NIST has released its big data Framework for comment. The framework is organized by Volumes, including:

  • Volume 1: Definitions
  • Volume 2: Taxonomies
  • Volume 3: Use Cases and General Requirements
  • Volume 4: Security and Privacy
  • Volume 5: Architectures White Paper Survey
  • Volume 6: Reference Architecture
  • Volume 7: Standards Roadmap.

So to summarize, any PHI used in business intelligence and big data will need to comply with all the related HIPAA Privacy, Security and Breach Notification requirements, and must therefore be analyzed to even a greater degree when it comes to uses and disclosures, controls and risk. It is even more important today for healthcare organizations and Business Associates to implement a “Culture of Compliance” with a major focus on Data Governance and Risk Management. Remember that it is a numbers game and the number of possible locations  for PHI in transit and at rest  are increasing every day.

About the Authors

Gerry Blass is the President & CEO of ComplyAssistant. Gerry has over 35 years of experience in healthcare IT and compliance. ComplyAssistant provides IT and healthcare cybersecurity services and healthcare compliance software that automates the management and documentation of healthcare compliance activities.

Susan A Miller, JD has 40 years of professional leadership experience spanning college teaching, biochemistry research and law. Since 2002, Susan has provided independent consulting and legal services to numerous healthcare entities including NIST and HHS. She has co-authored two OCR audit protocol prep-books, HIPAA Security Audit Prep Book, and HIPAA Breach & Privacy Audit Prep Book. You may reach her at

Blass and Miller are co-founders of HIPAA 411, a linked-in group.

To learn more visit our healthcare cybersecurity services page, healthcare compliance software page, or HIPAA compliance software page.

Accountable Care Organizations, Business Associates, Compliance, Featured, Health Information Exchange, Healthcare Compliance, HIE, HIPAA-HITECH, Information Security Risk Analysis, Information Security Risk Management, Meaningful Use, Meaningful Use Software, OMNIBUS