The Health Insurance Portability and Accountability Act was established in 1996, mainly as a way of easing the transfer of healthcare plans between employers. However, since then it has come to cover all aspects of patient privacy. Much of this focuses on safeguarding “protected health information” (PHI), patient data that can be used to identify individuals.
What is PHI?
As described above, PHI is any piece of information that can be considered an “identifier”, i.e. can be traced back to an individual and used to identify them. It was defined in the Privacy Rule (2003), and covers all aspects of sensitive data such as name, gender, sexuality, religion, health conditions, treatment plans or contact information.
The following pieces of information should be treated as PHI as they can be used to identify an individual:
- Name (including middle names, aliases and previous names)
- Telephone numbers (work, cell and home)
- Addresses or geographical information smaller than the State level (however the first three digits of a zip code are not considered to be PHI)
- Social Security numbers
- Fax Numbers
- Email addresses
- Medical records
- Health insurance numbers/beneficiary numbers
- Account numbers (e.g. bank account)
- Certificate or license numbers
- Vehicle license plates or other identifiers
- Device serial numbers
- URLs associated with the patient
- IP addresses
- Finger, retinal and voice prints (or other biometric identifiers)
- Photographs or video footage
Additionally, any other unique identifying characteristic, serial number, code or license should also be treated as PHI. This means that they should be afforded the same administrative, technical and physical safeguards and not be shared with unauthorized personnel. Any piece of information that contains one of the above identifiers should be treated as PHI.
PHI only relates to healthcare. Any information regarding employment, education, non-medical finances etc. is not protected under HIPAA.
What is a “limited data set”?
A “limited data set” is one in which identifiers such as those listed above have been removed. This data set can then be shared without the patient’s prior authorization if certain conditions are met. However, the data set still contains PHI and thus the covered entity sharing the data must ensure that it is protected. Thus, they must enter into a “data use agreement” with the recipient of the data set. This should clarify what the data can be used for, who can access it, prohibit its further disclosure and ensure the appropriate safeguards will be enacted to protect the data.
Protected Health Information, of PHI, was first defined under the Privacy Rule. Essentially, it is any one of eighteen pieces of information that can be used to identify an individual. It also includes all personal data collected during the course of healthcare. It should be protected from unauthorized access to ensure the patient’s anonymity and privacy is preserved.