When the Health Insurance Portability and Accountability Act was first introduced in 1996, one of its main goals was to ensure that patient privacy was upheld. To achieve this goal, several subsequent “Rules” were added to the Act. One, the HIPAA Privacy Rule, stipulated how and when patient information could be used and disclosed; another, the HIPAA Security Rule, laid out what safeguards are required to keep electronic versions of these records safe. But what information is protected?
HIPAA protects individually-identifiable health Information that is created, maintained, or transmitted by a HIPAA Covered Entity (CE) or their Business Associate (BA). The data must be used in a HIPAA-covered transaction, such as for treatment, healthcare operations, or payment for healthcare.
The types of data that are protected may include diagnoses, test results, prescriptions, etc. These must “individually-identifiable”; that is, they must be able to be traced back to an individual person.
Identifiers are essentially any demographic data that can be used to trace the identity of an individual.
The 18 “HIPAA Identifiers” are as follows:
- Geographical identifiers smaller than ZIP codes
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device identifiers and serial numbers;
- Website URLs
- IP address numbers
- Biometric identifiers
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Any information held by a CE or BA, irrespective of its format, that contains these
data must be protected under HIPAA. If this information is accessed by unauthorized individuals, it leaves patients vulnerable to identity theft or fraud. Being the victim of such crimes can damage a patient’s credit score or cause their insurance premiums to increase. This makes PHI very valuable on the black market.
Importantly, it does not matter how generic the identifier is – Jane Smith from New York City is equally as protected as Jane Smith from Geneva, New York. It would be impracticable for HIPAA to differentiate between these two types of information, but also it would not take that much more effort to identify one of these patients over the other, even if they live in a bigger city.
PHI must not be disclosed unless the disclosure is in alignment with the HIPAA Privacy Rule. To ensure the proper disclosure of PHI, all employees should be trained in HIPAA compliance.