HIPAA laws allow security for all individually identifiable health information that is held by or shared by a HIPAA covered entity or business associate.
The Department of Health and Human Services’ Office for Civil Rights states that there are 18 identifiers that make health information personally identifiable. When these data elements are incorporated in a data set, the data is thought of as protected health information and subject to the requirements of the HIPAA Privacy, Security and Breach Notification Rules.
The following data is secured by under HIPAA Rules:
What are the Permissible Uses and Disclosures of Protected Health Information?
Making sure policies and processes are developed and put in place to limit the uses and disclosures of PHI is an important element of HIPAA compliance. If health information is used for purposes not permitted by the HIPAA Privacy Rule or is deliberately disclosed to individuals unauthorized to receive the information, there are possible financial penalties for the covered entity or individual to blame.
HIPAA allows protected health information to be used for healthcare management, treatment purposes, and in connection with payment for healthcare services. Information may be handed over to third parties for those purposes, once an appropriate relationship exists between the sharing covered entity and the recipient covered entity or business associate. A covered entity can only share PHI with a different covered entity if the recipient has previously or currently has a treatment relationship with the patient and the PHI in linked to that relationship. In the case of a disclosure to a business associate, a business associate agreement must have been completed. In all instances, the minimum necessary standard is in place. Disclosures must be restricted to the minimum necessary information that will allow the recipient to accomplish the intended purpose of use.
Does HIPAA Forbid All Other Uses of PHI?
HIPAA does not forbid the use of PHI for all other reasons. PHI can be used for marketing campaigns, can be provided to research groups, and can even be sold by a healthcare group. However, before any use or disclosure of health information that is not outright permitted by the HIPAA Privacy Rule, one of two steps must be followed:
- A HIPAA authorization must be received from a patient, in writing, allowing the covered entity or business associate to use the data for a specific purpose not otherwise allowed within HIPAA Rules.
- The health information must have all information stripped that may allow a patient to be identified.