The Health Insurance Portability and Accountability Act of 1996 sets out to ensure the security and privacy of patient data. But only a subset of health information is covered by HIPAA. It must be “individually identifiable health information”, which leads us to the question: what is individually identifiable health information? How can it be distinguished from other sorts of information? And why is it so important to protect?
Before answering “what is individually identifiable health information”, it would be useful to define what “health information” is in the context of HIPAA. In a nutshell, health information is any data that contains details of past, present, or future medical conditions (physical or mental), the treatments for those conditions, and the payment for those treatments.
Additionally, HIPAA only applies to health information that has been generated, received, or is maintained by a HIPAA Covered Entity or their Business Associate. Covered Entities are health plans, healthcare providers, or healthcare clearinghouses that handle PHI. They may enter into a Business Associates Agreement with a third party (who then becomes a Business Associate), who will then undertake certain actions on behalf of the Covered Entity. Both Covered Entities and Business Associates have responsibilities under HIPAA.
So, that clarifies what health information is. But HIPAA applies explicitly to “protected health information”, or PHI. This PHI is set apart from other health information as it contains one of 18 HIPAA identifiers, pieces of demographic, social, and economic information that can be used to trace the identity of an individual.
The 18 identifiers are as follows:
- Full name or last name and initial(s)
- Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
- Dates directly related to an individual, other than year
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- IP addresses
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
It goes without saying that these identifiers are very sensitive in nature. If a criminal accessed them, they could be used for identity theft or insurance fraud, leaving the patient vulnerable to the consequences of both of these acts. It is because of this threat, and others, that HIPAA has so many requirements in place to safeguard a patient’s identifiable information.
However, it is possible to “de-identify” PHI by removing these 18 identifiers (or ensuring that the remaining ones are sufficiently generic that an individual’s identity cannot be traced). Doing so would mean that the health information is no longer considered to be PHI, and therefore not protected by HIPAA.