Objectives of HIPAA Privacy Laws
HIPAA privacy laws were introduced in 2002 with the goal of ensuring the privacy of patients’ medical data without hampering the exchange of patient data required to provide medical services to patients. The HIPAA privacy laws regulate who can access Protected Health Information (PHI), the terms under which it can be utilized, and to whom it can be shared with.
The HIPAA privacy laws are not just applicable to healthcare companies and organizations. The laws are also applicable to any entity that a HIPAA-covered entity authorizes to access patients’ healthcare data (termed business associates under HIPAA)
HIPAA privacy laws ensure that patient data cannot be accessed by unauthorized individuals. Patients must give their consent before their personal health information is shared for reasons other than treatment, payment for healthcare services, or use for healthcare operations, and patients also have the right to obtain copies of their health data.
Data Protected by HIPAA Privacy Laws
The data secured by HIPAA privacy laws is referred to as Personally Identifiable Information (PII) and Protected Health Information (PHI) – Information that could expose a patient´s identity such as:
- Information about the patient’s past, current or future mental or physical condition
- Information relating to medical treatment and medical services provided to the patient
- Information about past, current, or future payments for healthcare services
Individually identifiable health information is not restricted to information like names, birth dates, Social Security numbers, and phone numbers, but also credit card details, car registration numbers and even specimens of a patient’s handwriting.
HIPAA privacy laws apply to written information and electronic information, even photographs and videos. If, for instance, a healthcare company took a photograph of a patient’s wound and the patient’s identity can be determined from distinguishing features – a tattoo or birthmark for instance – the photograph would be covered and protected by HIPAA privacy laws.
The HIPAA privacy laws regarding PHI are applicable to each covered entity and each third party service provider or Business Associate that the covered entity does business with. PHI disclosure for reasons of treatment, healthcare operations or payment should be restricted between a covered entity or Business Associate – except if the disclosure is mandated by law or if the disclosure is in the best interests of the public or the patient.
Even when disclosures of PHI are permitted by the HIPAA Privacy Rule, sharing of PHI must be limited to the minimum necessary amount to achieve the purpose for which the information is disclosed. Every request for disclosure of PHI ought to be evaluated on a case-to-case basis. It is not permitted to give PHI access to a Business Associate because they were permitted access in the past.
Unauthorized PHI Disclosures
Every covered entity needs to implement safety measures to avoid unauthorized PHI disclosures. These safety measures will differ based upon the covered entity’s size and the nature of medical care provided. The fines for the failure to ensure the confidentiality, integrity, and availability of PHI are substantial. Healthcare companies that intentionally or negligently disclose PHI, in violation of HIPAA privacy laws, could be penalized as much as $50,000 per instance up to a maximum of $1.5 million, per violation category, per year.
As detailed on the Department of Health and Human Services’ Office for Civil Rights breach portal, the most frequent causes of unauthorized PHI disclosure are the loss or theft of portable devices such as USB flash drives, laptops and smartphones, and hacking incidents.
One of the best ways of avoiding these privacy breaches is the use of encryption. Encryption renders PHI indecipherable unless the key to decrypt the PHI is also compromised. Encryption is not mandatory under HIPAA, but it is recommended. If encryption is not used, alternative measures must be implemented to safeguard ePHI that provide an equivalent level of protection as encryption.