Anyone who works in the healthcare industry knows about HIPAA: established in 1996, its main goal was initially to ease the transfer of healthcare plans and insurance between employers when an employee was changing jobs. However, most will know of it from a privacy perspective, as HIPAA is the main piece of legislation in the United States that protects patient privacy.
What is Protected Health Information?
The Privacy Rule, introduced in 2003, gave a definition of what is to be treated as “protected health information” or PHI. This definition includes any piece of information that is a piece of individually identifiable health information, i.e. can be used to identify a patient. Such identifiers are listed below:
- Name (including middle names, aliases and previous names)
- Telephone numbers (work, cell and home)
- Addresses or geographical information smaller than the State level (however the first three digits of a zip code are not considered to be PHI)
- Social Security numbers
- Fax Numbers
- Email addresses
- Medical records
- Health insurance numbers/beneficiary numbers
- Account numbers (e.g. bank account)
- Certificate or license numbers
- Vehicle license plates or other identifiers
- Device serial numbers
- URLs associated with the patient
- IP addresses
- Finger, retinal and voice prints (or other biometric identifiers)
- Photographs or video footage
If any of these pieces of information is accessed by an unauthorized individual, they could be used to “backtrack” to the patient that they refer to. Thus, all must be protected by the safeguards stipulated by the Security Rule (administrative, physical and technical safeguards). These identifiers may also be removed from the document via an “anonymization” process.
What about medical data?
It should go without saying that HIPAA protects any patient data related to their treatment. This goes on to cover a patient’s past medical record, their history of illness, current medical or physical conditions and their future prognosis. Additionally, their healthcare payment plans are also protected.
This does not mean that none of this information can be passed on between individuals after collection. If the data must be transmitted for medical reasons – for example, if a patient is being referred to a specialist – any information related to the treatment may be passed between the healthcare professionals. This must adhere to the Minimum Necessary Rule (part of the Privacy Rule) – information should not be shared unnecessarily, and any information that is disclosed should be relevant to the required treatment.
When is PHI not protected?
In some rare circumstances, PHI is not treated in the same way as it usually would be. These are usually exceptional cases that concern public health, vulnerable people or law enforcement requirements.
In the following situations, HIPAA permits the disclosure of PHI:
- Activities for public health such as product recalls or disease control
- Organ donation
- Research (though other privacy regulations apply)
- Suspected neglect or abuse
- Response to a court order
- Activities relating to national security
In these cases, PHI may not be made public, but its disclosure to “unauthorized” (usually non-healthcare) individuals such as judges, scientists or law enforcement is permitted.