Hopefully, all those who work in the healthcare industry will be aware of their duties under HIPAA. Primarily, they are required to ensure that the security and integrity of patients’ private data (Protected Health Information, or PHI) are maintained. However, there may be some confusion regarding the disclosure of PHI. The flow of information is obviously essential to ensure that patients receive the correct care. But what information can be shared without violating HIPAA?
The HIPAA Privacy Rule defines a set of “Protected Health Information” which cannot be disclosed or used outside of particular circumstances. PHI is defined as any information relating to the past, present, or future medical condition of a patient, the treatments for the condition, or healthcare-related payments. Additionally, the information must be created or received by a HIPAA Covered Entity (CE) or their Business Associates (BA). Broadly, CEs are healthcare providers, healthcare clearinghouses, or health plans. Business Associates are third parties that have been granted access to PHI via a Business Associate Agreement in order to carry out certain actions.
Crucially, PHI must also include a “HIPAA Identifier”. These identifiers are pieces of demographic, economic, or other information that can be used to trace the identity of an individual. The identifiers are important as, if malicious individuals access them, they could be used to steal a patient’s identity or commit insurance fraud. The sensitive nature of these data also leave the patient vulnerable to discrimination or social exclusion.
The 18 HIPAA identifiers are as follows:
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state (with some exceptions; CEs can use the first three digits of a ZIP code, for example)
- Dates (other than year) directly related to an individual (e.g. birthday)
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
It is important to note that there is no distinction made in HIPAA about how “vague” these identifiers are. A person named John Smith in a city of 100,000 is as equally protected as a John Smith who lives in a town of 50, even though the latter is ostensibly more readily identifiable.
Any data that does not meet the definitions can be shared without violating HIPAA. This allows for greater use of PHI in research and other activities.
Anything that does, however, is subject to the stringent use and disclosure rules laid out in the HIPAA Privacy Rule and must be protected by the safeguards established in the HIPAA Security Rule. For example, under the Minimum Necessary Rule Standard(part of the Privacy Rule), only the information required to carry out a certain action should be disclosed. So, if a patient is paying for a particular procedure, and the accounts department receives the patient’s full medical history, this would be a HIPAA violation. Similarly, if PHI was being shared via email, but someone who did not need to access the PHI for the task at hand was copied in, that would also be a HIPAA violation.
However, it is possible to alter PHI such that it is no longer subject to HIPAA. In a process called “de-identification”, the HIPAA identifiers are removed from the health information. This anonymises the data, meaning that is no longer considered to be PHI and, therefore, no longer subject to HIPAA. There are two main means of de-identification: Safe Harbor de-identification (as described above), or “expert determination”. In the latter, it is not necessary for all data points to be removed, but enough that an expert would deem the possibility of identifying an individual as vanishingly low.
So, what information can be shared without violating HIPAA? Firstly, any data that does not meet the definition of PHI outlined above. Secondly, any information that is required to carry out the task at hand (adhering to the Minimum Necessary Rule). And finally, any data that was once considered to be PHI, but has since been de-identified. Employees should be aware of these categorizations to prevent any unauthorized access to PHI.