One of the principal purposes of HIPAA is to ensure the privacy of patients is protected by making sure that particular types of data are secured and are not shared with unauthorized persons, but what data does the HIPAA law protect?
HIPAA laws secure all individually identifiable health information that a HIPAA-covered entity or business associate creates, stores or transmits. Individually identifiable health information is health information that includes one or more of 18 identifiers. Whenever these identifiers are included, the data is regarded as protected health information (PHI) and is covered by the HIPAA Privacy, Security and Breach Notification Rules.
The following 18 data elements would allow a person to be identified from their health data:
- Addresses (which include subdivisions less than the size of a state, for example zip code, street, city and county)
- Dates (not including years) directly connected to a person, for example birthdays, dates of admission/discharge, death date, and ages of persons over 89
- Email addresses
- Phone numbers
- Fax numbers
- Social Security numbers
- Health plan beneficiary numbers
- Medical record numbers
- Certificate and license numbers
- Device identifiers and serial numbers
- Vehicle identifiers
- Account numbers
- IP addresses
- Website URLs
- Biometric data, such as iris and retina scans, fingerprints, and voice prints
- Full-facial pictures and other images that would identify a patient
- Other distinct identifying numbers, features, or codes
Allowable Uses and Disclosures of PHI
Policies and procedures need to be created and implemented to control PHI uses and disclosures. This is an essential part or compliance with the HIPAA Privacy Rule. When health data is used in ways not allowed by the HIPAA Privacy Rule, or is intentionally shared with persons not authorized to view or receive the data, the covered entity or person responsible may face financial penalties. In certain cases, HIPAA Privacy Rule violations may result in criminal charges.
HIPAA permits the use of PHI for healthcare operations, treatment and payment processing for healthcare services. Patient data may be shared with third parties for the previously mentioned purposes, as long as there is a relationship between the recipient and the disclosing covered entity. If a covered entity is sharing PHI with another covered entity, the recipient should have a previous or current treatment relationship with the patient and the PHI should be linked to that relationship. When it comes to a disclosure to a business associate, there must be a business associate agreement (BAA) in place before any PHI is disclosed. In all instances, the minimum standard requirement applies. Disclosed information should be limited to the minimum required to allow the recipient to accomplish the desired purpose of use.
Limitation of PHI Uses
HIPAA doesn’t forbid utilizing PHI for other purposes such as marketing and research. A healthcare organization can even sell PHI. However, two possible steps must be taken before using or disclosing health information for purposes not expressly allowed by the HIPAA Privacy Rule:
The patient must give their written authorization allowing the covered entity or business associate to use of his/her data for purposes not normally allowed under HIPAA or all of the above 18 identifiers must be removed from the health data before disclosure.