Although the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, the HIPAA Privacy Rule wasn’t added to the regulation until 2002. The HIPAA Privacy Rule was created to ensure the confidentiality of protected health information (PHI). The HIPAA Privacy Rule provides industry standards for the proper use and disclosure of PHI, including who should have access to PHI.
What is Protected Health Information?
To understand the HIPAA Privacy Rule, it is important to know what is considered protected health information (PHI) under the HIPAA regulation. The Department of Health and Human Services (HHS) considers the following 18 identifiers to be PHI:
- Patient names
- Geographical elements (such as a street address, city, county, or zip code)
- Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Full face photographic images
- Other identifying numbers or codes
It may be surprising that some of these items are PHI, such as IP addresses, however, the above-listed items are considered “individually identifiable health information.” This means that the information can be directly tied back to a specific patient.
What Did the HIPAA Privacy Rule Establish?
The HIPAA Privacy Rule established several standards including:
- Permitted Use and Disclosure of PHI: A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the HIPAA Privacy Rule.
- The Minimum Necessary Rule: A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
- Notice of Privacy Practices: The notice must describe the ways in which the covered entity may use and disclose protected health information. The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity.
- Privacy Policies and Procedures: A covered entity must develop and implement written privacy policies and procedures that are consistent with the HIPAA Privacy Rule.
- Privacy Personnel: A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
- Workforce Training and Management: All workforce members must be trained on an organization’s privacy policies and procedures.
- Data Safeguards: A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.
- Documentation and Record Retention: A covered entity is required to retain records for six years for privacy policies and procedures, privacy practices notices, and disposition of complaints.