One of the chief focuses aims of HIPAA is to safeguard the privacy of patients by ensuring certain types of data are secured and not disclosed to unauthorized people, but what information is protected under HIPAA rules?
What Information is Secured Under HIPAA Legislation?
HIPAA laws protect all individually identifiable health information that is managed by or shared by a HIPAA covered entity or business associate. According to the Department of Health and Human Services’ Office for Civil Rights (OCR) there are 18 identifiers that designate health information as personally identifiable. When these identifiers are included in a data set, the information is thought of as protected health information and must meet the requirements of the HIPAA Privacy, Security and Breach Notification Rules.
The following data are secured under HIPAA legislation:
- Specific names
- Addresses (incorporating subdivisions of smaller level than state such as street, city, county, and zip code)
- Dates (except years) directly linked to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older than 89 years
- Telephone details
- Fax number details
- Social Security information
- Medical record data
- Health plan beneficiary specific information
- Account details
- Certificate and licenses
- Automobile identifiers
- Serial numbers and device identifiers
- Website addresses
- Biometric identifiers, incorporating fingerprints, voice prints, iris and retinal scans
- Complete-face photos and other photos that could permit a patient to be identified
- All other unique identifying numbers, characteristics, or codes
What are the Permissible Uses and Disclosures of Protected Health Information?
Seeing to it that policies and procedures are developed and adapted to restrict the uses and disclosures of PHI is an important element of HIPAA compliance. If health information is used for aims not allowed by the HIPAA Privacy Rule or is deliberately disclosed to those unauthorized to receive the information, there are possible fines for the covered entity or individual to blame.
HIPAA permits protected health information to be used for healthcare sector operations, treatment purposes, and linked with payment for healthcare services. Information may be shared to third parties for those purposes, once an appropriate relationship exists between the disclosing covered entity and the recipient covered entity or business associate. A covered entity can only send PHI with another covered entity if the recipient has previously, or still has, a treatment relationship with the patient and the PHI relates to that relationship. In the case of a disclosure to a business associate, a business associate agreement must have been completed. In all instances, the lowest necessary standard applies. Disclosures must be limited to the minimum necessary information that will allow the recipient to achieve the intended purpose of use.
Does HIPAA Forbid All Other Uses of PHI?
HIPAA does not forbid the use of PHI for all other purposes. PHI can be used for marketing aims, can be supplied to research groups, and can even be sold by a healthcare organization. However, before to any use or disclosure of health information that is not expressly allowable by the HIPAA Privacy Rule, one of two steps must be taken:
- A HIPAA authorization must be received from a patient, in writing, permitting the covered body or business associate to use the data for a specific purpose not otherwise permitted under HIPAA.
- The health information must be stripped of all information that permit a patient to be identified.