Under HIPAA, healthcare professionals can share patient information without violating HIPAA rules for the purposes of providing treatment, facilitating payment, conducting healthcare operations, participating in public health activities, reporting victims of abuse, neglect, or domestic violence, complying with health oversight activities like audits and inspections, for judicial and administrative proceedings, for law enforcement purposes, for research under certain conditions, to avert serious threats to health or safety, for workers’ compensation claims, and when a patient or their representative has given explicit consent. Hopefully, all those who work in the healthcare industry will be aware of their duties under HIPAA. Primarily, they are required to ensure that the security and integrity of patients’ private data (Protected Health Information, or PHI) are maintained. However, there may be some confusion regarding the disclosure of PHI. The flow of information is obviously essential to ensure that patients receive the correct care. But what information can be shared without violating HIPAA?
The HIPAA Privacy Rule defines a set of “Protected Health Information” which cannot be disclosed or used outside of particular circumstances. PHI is defined as any information relating to the past, present, or future medical condition of a patient, the treatments for the condition, or healthcare-related payments. Additionally, the information must be created or received by a HIPAA Covered Entity (CE) or their Business Associates (BA). Broadly, CEs are healthcare providers, healthcare clearinghouses, or health plans. Business Associates are third parties that have been granted access to PHI via a Business Associate Agreement in order to carry out certain actions.
Crucially, PHI must also include a “HIPAA Identifier”. These identifiers are pieces of demographic, economic, or other information that can be used to trace the identity of an individual. The identifiers are important as, if malicious individuals access them, they could be used to steal a patient’s identity or commit insurance fraud. The sensitive nature of these data also leave the patient vulnerable to discrimination or social exclusion.
The 18 HIPAA identifiers are as follows:
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state (with some exceptions; CEs can use the first three digits of a ZIP code, for example)
- Dates (other than year) directly related to an individual (e.g. birthday)
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
It is important to note that there is no distinction made in HIPAA about how “vague” these identifiers are. A person named John Smith in a city of 100,000 is as equally protected as a John Smith who lives in a town of 50, even though the latter is ostensibly more readily identifiable.
Any data that does not meet the definitions can be shared without violating HIPAA. This allows for greater use of PHI in research and other activities.
Anything that does, however, is subject to the stringent use and disclosure rules laid out in the HIPAA Privacy Rule and must be protected by the safeguards established in the HIPAA Security Rule. For example, under the Minimum Necessary Rule Standard(part of the Privacy Rule), only the information required to carry out a certain action should be disclosed. So, if a patient is paying for a particular procedure, and the accounts department receives the patient’s full medical history, this would be a HIPAA violation. Similarly, if PHI was being shared via email, but someone who did not need to access the PHI for the task at hand was copied in, that would also be a HIPAA violation.
However, it is possible to alter PHI such that it is no longer subject to HIPAA. In a process called “de-identification”, the HIPAA identifiers are removed from the health information. This anonymises the data, meaning that is no longer considered to be PHI and, therefore, no longer subject to HIPAA. There are two main means of de-identification: Safe Harbor de-identification (as described above), or “expert determination”. In the latter, it is not necessary for all data points to be removed, but enough that an expert would deem the possibility of identifying an individual as vanishingly low.
So, what information can be shared without violating HIPAA? Firstly, any data that does not meet the definition of PHI outlined above. Secondly, any information that is required to carry out the task at hand (adhering to the Minimum Necessary Rule). And finally, any data that was once considered to be PHI, but has since been de-identified. Employees should be aware of these categorizations to prevent any unauthorized access to PHI.
| Reason for Disclosure | Description |
|---|---|
| Treatment | Medical professionals can share information as needed to diagnose, treat, and provide medical care to a patient. This can involve consulting with other healthcare providers or referring the patient to another doctor. |
| Payment | Healthcare providers can share information with insurance companies or other financial entities to facilitate payment for services rendered. |
| Healthcare Operations | This covers activities such as administrative, financial, legal, and quality improvement activities necessary to run the business and support the core functions of treatment and payment. |
| Public Interest | Certain disclosures are allowed for public interest and benefit activities, such as for public health activities, abuse or neglect reporting, health oversight activities, and judicial and administrative proceedings. |
| Patient Authorization | If a patient gives explicit consent, their health information can be shared as they direct. |
What is the HIPAA Minimum Necessary Rule?
The HIPAA “Minimum Necessary Rule” is a key protection within the Privacy Rule that requires covered entities and their business associates to limit Protected Health Information (PHI) use, disclosure, and requests to the minimum necessary to accomplish the intended purpose. Essentially, healthcare providers and associated parties should only access, share, or request the least amount of sensitive information needed to perform a task, whether that’s treating a patient, billing for services, or carrying out any other healthcare operation. This rule is a cornerstone of maintaining patient privacy and data security, but it does not apply to all situations. For instance, disclosures to or requests by a healthcare provider for treatment purposes, disclosures to the individual who is the subject of the information, and uses or disclosures made pursuant to an individual’s authorization are not subject to the minimum necessary rule. Implementing this rule typically involves developing policies and procedures that limit who can access PHI, under what circumstances PHI can be shared, and how much information each person or entity can access, ensuring that every disclosure is justifiable and appropriate.
PHI can be shared for treatment, where medical professionals exchange information to provide optimal care. PHI is also shared for payment purposes, such as when a healthcare provider bills an insurance company, including details about the patient and services provided. HIPAA allows PHI disclosure for healthcare operations, which includes activities like quality assessment, training programs, and audits. Certain disclosures for public interest are permitted, like reporting specific diseases to public health authorities. With a patient’s explicit authorization, PHI can be shared according to their wishes. All these disclosures must follow HIPAA’s “minimum necessary rule,” which stipulates that only the minimum amount of PHI needed should be used, disclosed, or requested to accomplish the intended purpose, helping to prevent unnecessary exposure of patient information.