Privacy Laws & HIPAA
The Aims of the HIPAA Privacy Laws
The HIPAA privacy laws were first passed in 2002 with the objective of safeguarding the confidentiality of patients’ healthcare data without handicapping the flow of information that was required to provide treatment. The HIPAA privacy laws manage who can have access to Protected Health Information (PHI), the conditions under which it can be implemented, and who it can be disclosed to.
The HIPAA privacy laws not only apply to healthcare groups and the organizations they work for. The laws apply to any body that may have access to healthcare information about a patient that – if it were to fall into the wrong hands – could present a danger to the patient’s finances or reputation. Therefore health insurance groups, healthcare clearinghouses and employers that provide in-house health plans also have to adhere with the HIPAA privacy laws.
The Information Safeguarded by HIPAA Privacy Laws
The information safeguarded by the HIPAA privacy laws is known as “Individually Identifiable Health Information”. This is any information that can show a patient’s identity in respect of:
- Patient’s history past, present or future physical or mental state
- Provision of healthcare treatment and healthcare treatment to the patient
- The past, current or future payment for the provision of healthcare treatment to the patient.
Because the protected data includes payment information, individually identifiable health data not only includes data such as names, date of birth, Social Security numbers and telephone numbers, but also car registration numbers, credit card details, and even examples of a patient´s handwriting.
It is important for covered groups to note that the HIPAA privacy laws not only apply to data saved in a written format. Images and videos that contain any individually identifiable health information are also secured by the HIPAA privacy laws.
If, for example, a healthcare supplier took a photo of a patient´s wound – and the identity of the patient could be established by any distinguishing feature – the confidentiality and disclosure of the photograph would be subject to the conditions within the HIPAA privacy legislation.
PHI: Whats Does it Include?
The HIPAA privacy laws relating to PHI apply to every covered entity and every third party service provider (or “Business Associate”) with whom the covered entity works with. These are the only parties who should have access to PHI unless authorization is given by the patient for it to be shared for research, marketing or fundraising purposes.
Sharing PHI for the purposes of treatment, payment or healthcare operations must be included in a covered entity or Business Associate – unless the disclosure is necessary by law, is in the public’s best interests or in the patient´s best interests (for instance, if the patient is a victim of child abuse, neglect or domestic violence).
Even then, the HIPAA privacy laws state that covered entities should adhere to the “Minimum Necessary Rule” – a rule that states the sharing of PHI should only be the minimum necessary to achieve the stated aim. Each request for disclosure should also be considered on a case-by-case basis, rather than give access to PHI to a Business Associate because they have been allowed access before.
PHI Disclosed Without Authorization
Each covered entity is must implement safeguards to stop the unauthorized disclosure of PHI. These security measures will vary depending on the size of the covered entity and the nature of healthcare it provides, but the fines for failing to safeguard the integrity of PHI can be very high. Healthcare groups that deliberately or negligently fail to adhere to HIPAA privacy laws can be fined up to $50,000 per offence daily.
According to the Department of Health and Human Resources’ Office for Civil Rights, the most witnessed reason for the unauthorized disclosure of PHI is the loss or theft of personal mobile devices and portable media devices (laptops, Smartphones and USB flash drives). For this reason, many healthcare groups have chosen to put in place secure messaging solutions as appropriate replacements for unsecure channels of communication like SMS and email.
Secure messaging solutions encrypt PHI so that it is indecipherable and unusable should it be intercepted on the move, and they also have security mechanisms to ensure that PHI cannot be accidentally or maliciously shared outside of a covered entity´s private communications network or copied to a USB flash drive. In the event that a personal mobile device is lost or stolen, administrative controls are in place to remotely erase any PHI received by the device and lock the app used for secure messaging. These controls can be used on desktop computers also.
Advantages of Secure Messaging Solutions
Not only do secure messaging solutions adhere with the HIPAA privacy laws, but also the administrative, physical and technical requirements of the HIPAA Security Rule. This means that mechanisms are present to monitor secure messages and ensure 100% message accountability which, in turn minimizes phone tag – the amount of time wasted by healthcare professionals waiting for confirmation that a message has been received or a response.
A recent article in CNN Money stated that phone tag costs the US healthcare sector over $7 billion each year and that the implementation of secure messaging solutions could accelerate healthcare processes like hospital admissions and patient discharges. Separate studies have also indicated that secure messaging accelerates communications, fosters collaboration and, when integrated with an EHR, reduces patient safety incidents and medication mistakes.
With secure messaging, the information safeguarded by the HIPAA privacy laws remains protected, only authorized users obtain access to PHI and healthcare providers can communicate with the same speed and convenience as SMS or email, but without endangering the unauthorized disclosure of PHI. Secure messaging meets the conditions of the HIPAA privacy laws about who can have access to PHI, the conditions under which it can be used, and who it can be shared with.