3

Consider a scenario where a company operates a service which is HIPAA compliant. This service requires storing patient emails which may contain personally identifiable information (PII). This PII is redacted and encrypted when the email is stored at rest.

One day a problem occurs—the system crashes for certain emails, in a way that cannot be reproduced with the redacted emails.

To debug this problem engineers require the original email text.

What is the right procedure to expose it in a controlled manner? Is it even allowed?

Michael
  • 2,217
  • 15
  • 31
Uri
  • 131
  • 5

1 Answers1

1

The HIPAA Privacy Rule governs disclosure of protected information. What you are describing is a business use of protected information by a covered entity that already possesses said information, which is not prohibited. In the case that an external company were assisting with the troubleshooting and support of the system, that company would have already signed a business associates agreement, which is what is required to allow them to access protected information under the Privacy Rule.

The Privacy Rule requires that the organization maintain a written policy for this sort of access, which would dictate things such as when this access is permitted, by whom, and any additional protections must be used (ex audit requirements, delete unredacted information from storage as soon as possible, don't save it at all, etc.).

Michael
  • 2,217
  • 15
  • 31