HIPAA is a complex piece of legislation covering many aspects of patient privacy, which may leave healthcare workers wondering: what information can be shared without violating HIPAA?
To answer this question, we must first discuss what kinds of information are covered by HIPAA. The HIPAA Privacy Rule defines “Protected Health Information” as any patient-related information that is created, stored, received, or transmitted by a HIPAA Covered Entity (CE) or their Business Associates (BAs) for the provision or payment of healthcare, or other healthcare-related services. The information must relate to the past, present, or future (e.g. treatment plans or prognoses) of a patient, and must contain individually-identifiable information that can be used to trace the identity of the patient.
HIPAA defines 18 such “HIPAA Identifiers”, which if present in the PHI, may be used to trace the identity of the patient to whom the PHI refers. According to the Department for Health and Human Services’ website, the following are considered to be identifiers:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Web Universal Resource Locators (URLs)
- Social security numbers
- Internet Protocol (IP) addresses
- Medical record numbers
- Biometric identifiers, including finger and voice prints
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code, except as permitted by paragraph
- Certificate/license numbers
Cover Entities and their BAs must not share anything that qualifies as PHI for uses other than those described above (or, alternatively, if the CE reported a crime such as child abuse or domestic violence). Doing so would be a violation of HIPAA, and could result in hefty fines or even criminal prosecution. However, the permitted uses of PHI could be greatly expanded if prior patient authorization is obtained. With the appropriate authorizations from the patient, CEs can sell PHI, use it for marketing or research purposes, or disclose it for other uses not covered by HIPAA. However, it is essential that the patient give consent for this use of their information.
Alternatively, CEs can “de-identify” data. This effectively anonymizes the PHI such that it is no longer traceable to an individual and, therefore, is no longer considered to be PHI. Consequently, the information is no longer protected by the HIPAA Privacy Rule and can be shared without violating HIPAA. The Department for Health and Human Services, there are two methods of de-identification:
Expert Determination, where statistical principles are applied to determine the risk of an individual being identified from their information
Safe Harbor De-identification, in which all of the HIPAA identifiers are removed from the data.
Safe Harbor de-identification is a more secure method of anonymization, as with expert determination there remains a small risk that patients can be identified from their data.
So, what information can be shared without violating HIPAA? PHI can, within certain uses, though the scope of these uses is very narrow. Patients can authorize further use of their data, or CEs and BAs can choose to de-identify data, removing it from the remit of the HIPAA Privacy Rule.