What does HIPAA Protect?

by

What does HIPAA Protect? What kinds of information are covered by the Act, and

why is it important that this data is protected? We will discuss the answers to those questions in this post. 

HIPAA had many purposes when it was introduced, ranging from tax reform to expanding access to health insurance. However, it is now most well-known for its role in protecting patient privacy. 

To do this, HIPAA defines a set of information that all HIPAA Covered Entities and Business Associates (CE or BA, respectively) must commit to protecting. This information is called “Protected Health Information” and is essentially any individually-identifiable information that is created, stored, or transmitted by a CE or BA. The information may be related to a past, present, or future health condition, the provision of healthcare, or the payment for a past, present, or future condition. The format of the information does not matter: irrespective of whether it is verbal, physical, or electronic, PHI is protected under HIPAA.

What does it mean to be individually identifiable? It is any information that contains sufficient demographic or other data that can be used to identify the individual to whom it pertains. Names, for example, are clear examples of these data, as well as addresses or Social Security Numbers. HIPAA has 18 identifiers, the presence of which would qualify information as PHI: 

  • Names 
  • Geographical identifiers smaller than ZIP codes
  • Dates (other than year) directly related to an individual
  • Phone Numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers
  • Device identifiers and serial numbers;
  • Website URLs
  • IP address numbers
  • Biometric identifiers
  • Full-face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code

For obvious reasons, if any information containing these identifiers were obtained by a malicious actor, the patient’s safety would be threatened. They would be vulnerable to medical fraud and identity theft, which could ruin their credit rating or make it difficult for them to get treatment. 

Another important factor is that it does not matter how “generic” information is; all of these identifiers are weighted equally. The email address “12345@HIPAA.com” is considered just as much an identifier as “adam.johnson@HIPAA.com“. This is for practical reasons, but also because it does not actually take that much effort to discover who the owner of 12345@HIPAA.com is.

HIPAA has a set of Rules that stipulates how this protection must occur. The HIPAA Security Rule, for example, establishes a minimum set of administrative, technical, and physical safeguards that must be in place to protect all electronic health data. The Privacy Rule lays out administrative requirements needed to protect data, alongside a set of permitted uses and disclosures of PHI.