What Information is Protected by HIPAA?

HIPAA protects a broad range of health-related data, known as Protected Health Information (PHI), including any information linked to an individual, as defined by 18 specified identifiers, and applies exclusively to patient or health plan subscriber information, excluding details found in educational and employment records unless held by a HIPAA-covered entity in its employer capacity, with PHI losing its status when all identifiers are stripped, exempting it from HIPAA Privacy Rule restrictions. This strict regulatory framework aims not only to safeguard individual health data but also to promote trust in the healthcare system by ensuring the secure handling of sensitive information. The 18 specified identifiers are important in outlining the scope of PHI, ranging from key details like names and dates to more sensitive elements such as Social Security numbers and biometric data.

PHI Identifier Categories:

  1. Names
  2. Geographic identifiers
  3. Dates related to individuals
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate or license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers
  17. Full-face photographs
  18. Any other unique identifying numbers, characteristics, or codes

It is important to note that PHI is restricted to information on patients or health plan subscribers. Educational and employment records are explicitly excluded from the purview of HIPAA unless they contain health information held by a HIPAA-covered entity in its role as an employer. PHI is only considered as such when an individual could be identified from the information. If all 18 identifiers are removed, the data no longer falls under the category of protected health information, and HIPAA’s privacy restrictions cease to apply. Not all health information falls under PHI as defined by HIPAA. Health information is not PHI when held by entities outside HIPAA’s jurisdiction, like schools under FERPA or employers managing employment records. Employers with self-funded health plans must separate employment and health records. Exceptions exist, notably for personal health device entities, not initially covered by HIPAA but obliged to follow the Breach Notification Rule in case of a breach. This complexity emphasizes the need for HIPAA training for both medical and non-medical workforce members to appropriately manage PHI, particularly when state laws offer greater protections.

How Must HIPAA Protected Health Information be Safeguarded?

The HIPAA Security Rule outlines the obligations of covered entities to protect against reasonably anticipated threats to the security of PHI. While the rule does not prescribe specific technologies, it mandates the implementation of safeguards to ensure the confidentiality, integrity, and availability of PHI. These safeguards span three key areas:

  1. Physical Safeguards: Measures include securing physical records and electronic devices containing PHI through lock and key systems.
  2. Technical Safeguards: This involves the use of technology solutions such as encryption software and firewalls to secure electronic PHI.
  3. Administrative Safeguards: Implementation of policies, procedures, and practices to manage the access to and use of PHI. This also includes security awareness training for personnel.

HIPAA-covered entities have the discretion to determine the precise safeguards based on their unique circumstances and technologies in use.

Why Must HIPAA Be Protected?

Compliance with HIPAA is mandatory for those working in healthcare or engaging in business with healthcare clients requiring access to health data. The HIPAA Security Rule imposes a duty to establish safeguards ensuring the confidentiality, integrity, and availability of PHI. The HIPAA Privacy Rule also restricts the use and sharing of PHI. Failure to comply with these rules can result in severe consequences. Financial penalties may be imposed for breaching any aspect of the HIPAA Privacy and Security Rules, and criminal penalties are also possible for serious violations. Ignorance of HIPAA law is not a valid defense, emphasizing the importance of strict adherence to these regulations in the healthcare sector. The list of violation consequences includes:

  1. Financial Penalties: Violations of the HIPAA Privacy and Security Rules can lead to monetary fines. The penalties vary based on the severity of the violation and the entity’s level of negligence. Fines may be imposed per violation, and the total amount can increase greatly for repeated or willful violations.
  2. Civil Monetary Penalties (CMPs): HIPAA authorizes the imposition of civil monetary penalties for non-compliance. These penalties are assessed by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and are categorized into different tiers based on the level of culpability.
  3. Criminal Penalties: In cases of willful neglect or intentional unauthorized disclosure of PHI, criminal penalties can be enforced. Individuals found guilty may face fines and imprisonment, with the severity depending on the nature and intent of the violation.
  4. Legal Action: Individuals or entities found in violation of HIPAA may face legal action, including civil lawsuits filed by affected individuals or the government. Legal proceedings can result in additional financial liabilities and reputational damage.
  5. Revocation of Covered Entity Status: A covered entity that consistently fails to comply with HIPAA regulations may face the revocation of its covered entity status. This could have severe consequences for its ability to participate in certain healthcare programs and services.
  6. Corrective Action Plans: Entities found in violation may be required to implement corrective action plans. These plans outline steps to address the identified deficiencies in HIPAA compliance and prevent future violations.
  7. Loss of Reputation: HIPAA violations can lead to a loss of trust and reputation within the healthcare community. Patients may lose confidence in healthcare providers or organizations that fail to adequately protect their sensitive health information.
  8. Monitoring and Audits: Following a violation, covered entities may be subjected to increased scrutiny, monitoring, and audits by regulatory authorities to ensure ongoing compliance with HIPAA regulations.
  9. Training Requirements: Entities found in violation may be required to implement additional training programs for staff to improve awareness and understanding of HIPAA regulations, aiming to prevent future breaches.
  10. Corrective Action: The Office for Civil Rights (OCR) may mandate corrective action to address identified vulnerabilities and ensure that the entity establishes and maintains comprehensive safeguards for PHI.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA