HIPAA and Business Intelligence

Business intelligence is a phrase that was coined in the 1800s by Richard Miller Devens, who presented the phrase in a publication about commercial and business anecdotes. Devens used the phrase to describe how a banker named Sir Henry Furnese was able to profit from information by gathering and acting on it before his competition could. When Devens developed the term, the telegraph had only recently become popularized. Since then, there have been profound advancements in technology, and with those advancements, an enhanced ability to gather information. Yet, the definition of business intelligence is essentially the same now as back in the 1800s: The effective use of data and information to make sound business decisions. Such use of data and information in healthcare must comply with the HIPAA laws and regulations. HIPAA and business intelligence is discussed below.

What Does Business Intelligence Encompass?

Business intelligence consists of a set of activities an organization takes with respect to data. These activities include:

  • Reporting. Reporting involves the process of accessing data, formatting the data, and then delivering it inside and outside an organization.  
  • Analysis. Analysis consists of identifying patterns and establishing relationships in a group of data.
  • Data mining. Data mining is the extraction of original information from existing data.
  • Predictive analysis. Predictive analysis is a subset of data mining. Through predictive analysis, businesses attempt to predict probabilities and trends.

Business intelligence can be viewed as a process consisting of a series of steps:

  • Step 1: Data is gathered, and then organized through reporting.
  • Step 2: Data is then turned into meaningful information through analysis.
  • Step 3: The results of analysis are used to make specific decisions aimed at achieving a particular strategic goal.

What is the Relationship Between HIPAA and Business Intelligence?

One particular type of data has become central to the concept of business intelligence for healthcare institutions. This type of data is known as healthcare big data. Healthcare big data activities are activities involving the collection and analysis of patient and clinical data, including protected health information (PHI), that is too vast or complex to be understood by traditional means of data processing. Such activities may include, for example, the use of artificial intelligence or other advanced computing techniques that offer predictive capabilities (capabilities that allow for the prediction of events, such as health outcomes). 

Healthcare big data is a large volume of data that frequently changes in amount and substance, and that, because of technological advancements, is interconnected. The “connectedness” of healthcare data has been made possible with the creation of (among other things) healthcare exchanges (HIEs) and meaningful use (MU) regulations. HIEs and MUs allow for healthcare data to be used to provide medical care, and, increasingly, to be used to predict when and where a health-related event may occur.

When healthcare organizations apply business intelligence principles to gather, organize, and analyze data, the organizations must ensure that business intelligence activities do not violate, or cause a violation of, the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, or the HIPAA Omnibus Rule.

If, for example, you are a covered entity – say, a hospital chain – and you use business intelligence principles and perform healthcare big data activities to determine, say, whether a particular medication is being used effectively, you are, in effect, using protected health information for TPO (treatment, payment, and healthcare operations) purposes. As such, you should evaluate current HIPAA Privacy Rule and Security Rule policies and procedures that you have developed, to determine if updating of those policies and procedures may be needed. 

Policies should be updated, as appropriate, to incorporate those business intelligence and healthcare big data activities that you use to determine medication effectiveness. If, for example, you introduce a new healthcare big data activity, such as use of AI, into your operations, you should take steps to ensure that the use of AI is being used consistently with your obligations under the HIPAA regulations.