Many patients will be aware of HIPAA, and know that it guarantees some protections for their privacy, but what is covered under HIPAA? What kinds of information are safeguarded by the Act?
Despite its strong associations with patient privacy, only one section (Title II) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is concerned with healthcare data. The remainder of the Act covers tax provisions, expanding access to healthcare to those with pre-existing conditions, or the portability of health plans between jobs.
When Title II was first enacted, its aim was to prevent healthcare fraud and streamline healthcare administration. However, since 1996, it has expanded to contain six “Rules” that cover different topics. The Privacy Rule was enacted in 2002, and defines Protected Health Information as individually-identifiable information that concerns the past, current, or future health status of a patient. Additionally, PHI must be created, transmitted, or maintained by a HIPAA-covered entity and relate to the treatment of a patient, payment for that treatment, or other healthcare operations. The format (be it verbal, written, or electronic) does not matter – all PHI is covered by HIPAA.
HIPAA outlines 18 pieces of information (“identifiers”) that, if contained in health data, render it PHI. These pieces of information could reasonably be used to find the identify of the individual; if they are removed from the data, it is considered to be “anonymised” and is no longer PHI. The identifiers are as follows:
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
HIPAA covers all healthcare providers, healthcare clearinghouses, health plans (all termed “covered entities”) and their business associates. If any of these entities fail to protect PHI, they are considered to be in violation of HIPAA and will face penalties from the Department for Health and Human Services.