The HIPAA privacy guidelines were first published in 2002 with the aim of safeguarding the patient confidentiality without blocking the flow of information required to provide treatment. The guidelines defined what data should be thought of as Protected Health Information (PHI), who should be given access to it, when it could be disclosed, and for what reasons.
The HIPAA privacy guidelines apply to any body that may have access to information about a patient. Each entity has to put in place the necessary precautions to prevent the risk of harm to a patient´s finances or reputation if there was to be an unauthorized sharing of PHI. Therefore, the HIPAA privacy guidelines not only apply to healthcare suppliers and the groups they work for, but also health insurers, healthcare clearing houses and employers that provide in-house health plans.
The HIPAA privacy guidelines refer to PHI as any “individually identifiable health information” that individually or together could show a patient’s identity. Not only does this definition cover such information as name, address, ZIP code or telephone number, but also any information that could be linked to:
- the past, present or future physical or mental state of a patient,
- the treatment or healthcare service given to a patient, or
- the past, present, or future payment in relation to treatment or healthcare services to a patient.
Later, car registration numbers, health plan coverage, and even examples of a patient’s handwriting are incorporated in the HIPAA privacy guidelines for the definition of PHI – importantly, in image and video format as well as when saved in written format.
Therefore, if a medical worker took a photograph of a patient’s eczema in order to collaborate on the patient’s condition with co-workers – and the identity of the patient could be determined by a distinguishing feature – the photograph would be thought of as PHI by the HIPAA privacy guidelines.
The only people that should have be able to view PHI are employees of HIPAA covered entities. The disclosure of PHI without a patient’s authorization by employees of HIPAA covered entities is allowed for the reasons related to providing a healthcare service to the patient or for payment for the healthcare service.
The only other instances that PHI can be shared without a patient’s authorization is when it is required by law, required by the Office for Civil Rights as part of a HIPAA compliance audit, or when disclosure is in the public’s best interests or in the patient’s best interests – for example, if the patient is a victim of child abuse, neglect or domestic violence.
Even on those occasions – or when a patient has given their authorization for their PHI to be shared for research, fundraising or marketing reasons – the HIPAA privacy guidelines stipulate that covered entities have to adhere to the “Minimum Necessary Rule” and limit the amount of information given to the minimum necessary to achieve the stated aim.