The HIPAA privacy laws were first passed during in 2002 with the stated objective of protecting the confidentiality of patients’ healthcare information without hindering the exchange of information that was required to give treatment. The HIPAA privacy laws state who can have access to Protected Health Information (PHI), the conditions under which it can be used, and who it can be shared with.
The HIPAA privacy laws not only apply to healthcare providers and the organizations they work for, they also apply to any entity that may have access to healthcare information about a patient that – if it were to fall into the wrong hands – could present a risk of damage to the patient’s finances or reputation. Due to this health insurers, healthcare clearinghouses and employers that supply in-house health plans also have to comply with the HIPAA privacy laws.
What Data is Protected by the HIPAA Privacy Laws?
The information made safe by the HIPAA privacy laws is referred to as “Individually Identifiable Health Information”. This is any information that can reveal a patient’s identity in relation to:
- the patient’s previous, existing or predicted physical or mental condition,
- the provision of healthcare services and medical treatment to the patient, or
- the past, present, or future payment for the supply of medical attention to the patient.
Because the secured data includes payment information, individually identifiable health information not only includes data such as names, date of birth, Social Security numbers and telephone numbers, but also car registration numbers, credit card details, and even copies of a patient’s handwriting.
It is crucial for covered entities to note that the HIPAA privacy laws are not only relevant for data saved in a written format. Images and videos that include any individually identifiable health information are also protected by the HIPAA privacy legislation.
The HIPAA privacy laws around PHI apply to all covered entities and every third party service provider (or “Business Associate”) with whom the covered entity works with. These are the only parties who should have be able to view to PHI unless authorization is given by the patient for it to be shared for research, marketing or fundraising goals.
Releasing PHI for the purposes of treatment, payment or healthcare operations must be included within a covered entity or Business Associate – unless the disclosure is needed by law, is in the public’s best interests or in the patient’s best interests.
The HIPAA privacy laws stipulate that covered entities should fall in line with the “Minimum Necessary Rule” – a rule that stipulates the disclosure of PHI should only be the minimum necessary to result in the stated purpose. Each request for disclosure should also be considered on a case-by-case basis, rather than allow access to PHI to a Business Associate because they have been allowed access on an earlier occasion.
Unauthorized Disclosures of PHI
Each covered entity must ensure that they are implementing safeguards to stop the unauthorized disclosure of PHI. These safeguards will differ depending on the size of the covered entity and the style of healthcare it provides, but the penalties for failing to secure the integrity of PHI can be extremely high. Healthcare organizations that deliberately or negligently fail to adhere to HIPAA privacy laws can be fined up to $50,000 per offence daily.
The Department of Health and Human Resources´ Office for Civil Rights has said that the most common reason for the unauthorized sharing of PHI is the loss or theft of personal mobile devices and portable media devices (laptops, Smartphones and USB flash drives). Due to this, many healthcare groups have decided to implement secure messaging solutions as adequate substitutes for unsecured channels of communication such as SMS and email.
Secure messaging solutions encrypt PHI so that it is indecipherable and unusable should it be captured during in transit, and they also have security controls to ensure that PHI cannot be accidentally or maliciously sent outside of a covered entities private communications network or saved on to a USB flash drive. Should a personal mobile device be lost or stolen, administrative controls are in place to remotely destroy any PHI received by the device and lock the app used for secure messaging. These controls also are applicable on desktop computers.