To find the answer to the question what information does the HIPAA law protect, you have to look beyond the text of the Health Insurance Portability and Accountability Act and review the Privacy Rule that emerged from the Administrative Simplification provisions of the Act.
The HIPAA law consisted of five titles and mostly related to ensuring employees had access to health care via group and individual health insurance, that their access to health care was portable between jobs, and that they would not be discriminated against when renewing their health insurance coverage because of a pre-existing condition.
Because of the costs to health plans of complying with HIPAA, measures were included in Title II of the Act to reduce fraud in the industry and simplify the administration of health insurance processes (eligibility checks, treatment authorizations, claims billing, etc.). One of these measures was the Administrative Simplification provisions.
The Administrative Simplification provisions instructed the Secretary for Health and Human Services (HHS) to promulgate standards for the privacy of individually identifiable health information. These standards became known as the Privacy Rule, and it is within the Privacy Rule you find the answer to the question what information does the HIPAA law protect – starting with health information.
What is Protected Health Information?
Protected Health Information (or PHI) is defined as individually identifiable health information […] transmitted by or maintained in electronic media or any other form or medium that:
- Relates to the past, present, or future physical or mental health or condition of an individual,
- Or the provision of health care to an individual,
- Or the past, present, or future payment for the provision of health care to an individual,
- AND that identifies the individual or can be used to identify the individual.
Information that relates to a patient´s condition, treatment for the condition, or payment for the treatment is usually kept together in a “designated record set”. A patient (or plan member) can have more than one designated record set per healthcare facility, and designated record sets – or parts thereof – can only be disclosed to third parties for “permissible uses and disclosures”.
Other than for permissible uses and disclosures, healthcare organizations and health insurance companies are not allowed to use or disclose Protected Health Information without the written authorization of the patient/plan member unless a disclosure is to the patient/plan member or to HHS´ Office for Civil Rights. This is how the HIPAA law protects health information.
What other Information Does the HIPAA Law Protect?
In addition to the health information stored in a designated record set, there is often a lot of non-health information stored in a designated record set. Typically, an individual´s designated record set will include their name, date of birth, address, telephone number, and/or email address. It may also include a social security number, medical record number, or health plan beneficiary number.
Outside of a designated record set, this non-health information is not protected by HIPAA law because the Privacy Rule only protects the privacy of individually identifiable health information collected received, maintained, or transmitted by a Covered Entity or Business Associate. However, once included in a designated record set that contains individually identifiable health information, the non-health information assumes the same level of HIPAA protection as the health information.
Protected non-health information is usually referred to as an “identifier” because it can be used separately or together with other information to identify the subject of the health information. However, it is important not to rely on the “18 HIPAA identifiers” listed under §164.514 of the Privacy Rule, as these were written more than twenty years ago. It is better to consider any identifying piece of information maintained in a designated record set protected by HIPAA law.